Thanks for the detailed explanation. I think I know what’s the issue you are facing.
edit only works if the header already exists (
Set-Cookie in your case), but I launched a new WordPress server and the
Set-Cookie header was not set by default.
To do a test, I added the next lines in the
Header set MyHeader "Hello world!"
Header set Set-Cookie "bitnami"
Header append Set-Cookie HttpOnly;Secure
which is creating two different custom header, and appending the `` value to the
Set-Cookie. I added those lines right above the next lines
# The following lines prevent .user.ini PHP settings files from being viewed by Web clients.
After that, I restarted Apache and I get the new headers as you can see below
$ curl -LI "http://127.0.0.1/"
HTTP/1.1 200 OK
Date: Fri, 30 Apr 2021 09:01:27 GMT
Link: <http://127.0.0.1/wp-json/>; rel="https://api.w.org/"
MyHeader: Hello world!
Set-Cookie: bitnami, HttpOnly;Secure
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8
Notice Apache internally appended the two values using a comma and a whitespace. Not sure if you would need to take it into account for the
HttpOnly;Secure string or not. According to the official Apache docs, this is the right way of setting a header with multiple values
The response header is appended to any existing header of the same name. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values.
append will also create the header in case it doesn’t exist, so you don’t need the
Header set Set-Cookie I think