Cookie 'sidebar_collapsed' not secure HttpOnly

I have gitlab version 15.11, and our Security team scan the system and find that the ‘sidebar_collapsed’ cookie is not set with HttpOnly.

is there any way we can mark this cookie as httponly.
otherwise we are not allowed to use the gitlab ce on-prem.


Does anyone have this problem? Does everyone have this cookie with httponly?

Try this: How to configure custom nginx headers on gitlab community edition 15.0.0 (#2) · Issues · OpenSource / GitLab Community Edition · GitLab

Also googling this also shows this as being low risk anyway, so I cannot understand why your security team is so pedantic about it. I understand critical and high releases needing addressing immediately, but blocking something with such a low priority is just senseless.

hi @iwalker
Thanks for your response
I tried what is written but I still see that sidebar_collapsed cookies are not httponly
Do you have another idea?