We have cookies that are generated by an appliance in our infrastructure, we do not have access to the configuration of the appliance so cannot set the HTTPOnly flag on the cookies it generates directly.
We do have a varnish 4 cache in front of this appliance, is it possible to set the HTTPOnly flag on the cookie there? If so how can it be done?
If your backend only sets one Set-Cookie header per response, adding the HttpOnly flag to that header can be trivially done during the vcl_deliver subroutine. You simply need to rewrite resp.http.Set-Cookie using regsub().
However, if multiple Set-Cookie headers are possible in a single response, previous solution is not valid. You could consider a similar approach, first merging all Set-Cookie headers in a single comma-delimited Set-Cookie header using std.collect(), and the rewriting the merged header using regsuball() to add the HttpOnly flag. However, merging Set-Cookie headers is a bad idea. Some browsers don't like merged headers and prefer that each Set-Cookie header is sent separately.
Summary: there is nothing you can do in VCL to add the HttpOnly flag when multiple Set-Cookie headers are possible in a single response. That can only be implemented using a VMOD. I'm not aware of any VMOD doing what you need, but it could be trivially implemented on your own.
