Missing tag "httpOnly": true in cookie preferred_language

The cookie "preferred_language" actually comes without the tag "httpOnly": true. This was issued by our company security scan.

This tag is already set in cookie "_gitlab_session" and we need to set the tag "httpOnly" in cookie "preferred_language" to:

"_gitlab_session": {
	"expires": "2023-03-08T11:01:49.000Z",
	"httpOnly": true,
	"path": "/",
	"samesite": "None",
	"secure": true,
	"value": ""
},
"preferred_language": {
	"path": "/",
	"samesite": "None",
	"secure": true,
	"value": "en"
}

Proposal

Whilst this is required for the normal operation of GitLab, we can allow self-managed users to opt-out via an ops feature flag. When toggled on, this flag will remove the language switcher and prevent the setting of the preferred language cookie.

See relevant discussion

Edited Jan 12, 2024 by Sam Beckham