I believe every version from 16.7 onward has it enabled by default <https://github.com/gocd/gocd/blob/e89a9c654bd0a6636c7ff0b97246ed33e11dbbe1/jetty9/src/com/thoughtworks/go/server/Jetty9Server.java#L110>. I don't think there's any easy way to turn it on for older versions, which are unsupported any way.
On Wed, Aug 2, 2017 at 6:18 PM, Rajakumar Narasimhadevara < [email protected]> wrote: > Hi All. > Our security teams have suggested that we add the HTTPOnly attribute to > the cookie that is getting written by the GoCD server. Could someone share > the details on how to enable this for various versions ranging from GoCD > 15.1 to 17.6 ? > > Is jetty.xml the file to update and if yes, what is the format to add the > attribute? > > Thanks and Regards > Raja > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
