Support for httponly cookie attribute?

The openvas scan against grafana server revealed the cookie setting

Set-Cookie: redirect_to=%252F; Path=/

which is flagged as insecure because it does not have the ‘httponly’ attribute.
Is there a directive say in grafana.ini, similar to

cookie_secure = false

that can add such attribute? For example,

cookie_httponly = true

will result in

Set-Cookie: redirect_to=%252F; Path=/; HttpOnly

This will make grafana more pci compliant.



Not currently, but this cookie is not used for anything security related.

The usual reply from the auditor is that even though this is not session
related, hackers can exploit this and redirect the url to some place
unintended. So the best practice is to not allow such exploitation for any
cookies. To keep the auditor happy we have to use an apache frontend to
rewrite this cookie. Hopefully this can get priority to be fixed in grafana



This cookie might actually need to be created from the frontend