Add httponly and secure cookie if not present

Hi all

I’d like to add Secure and HttpOnly to all cookies, when these securities are not already set by backend app, but I can’t find the way to do this properly.
Add is OK, but on cookies which have these notions, I have them twice (my acl doesn’t seems to work)

Even on a single cookie, I can’t figure how to do this
I’ve tried as shown in documentation

 acl secured_cookie res.cook(JSESSIONID),lower -m sub secure
 acl httponly_cookie res.cook(JSESSIONID),lower -m sub httponly
 http-response replace-header Set-Cookie (.*) \1;\ Secure if !secured_cookie
 http-response replace-header Set-Cookie (.*) \1;\ HttpOnly if !httponly_cookie

but when I curl URL, I have this cookie in header

set-cookie: JSESSIONID=BED876AD41ED3F0367F986921AE83711; Path=/cas; Secure; HttpOnly; Secure; HttpOnly

Ideally, I’d like to do this on all cookies.
Any help would be appreciated