If your backend only sets one Set-Cookie
header per response, adding the HttpOnly
flag to that header can be trivially done during the vcl_deliver
subroutine. You simply need to rewrite resp.http.Set-Cookie
using regsub()
.
However, if multiple Set-Cookie
headers are possible in a single response, previous solution is not valid. You could consider a similar approach, first merging all Set-Cookie
headers in a single comma-delimited Set-Cookie
header using std.collect()
, and the rewriting the merged header using regsuball()
to add the HttpOnly
flag. However, merging Set-Cookie
headers is a bad idea. Some browsers don't like merged headers and prefer that each Set-Cookie
header is sent separately.
Summary: there is nothing you can do in VCL to add the HttpOnly
flag when multiple Set-Cookie
headers are possible in a single response. That can only be implemented using a VMOD. I'm not aware of any VMOD doing what you need, but it could be trivially implemented on your own.