Inherit SpringBootServletInitializer in the startup class, and then override this method
public void onStartup(ServletContext servletContext) throws ServletException { super.onStartup(servletContext); // This will set to use COOKIE only servletContext.setSessionTrackingModes( Collections.singleton(SessionTrackingMode.COOKIE) ); // This will prevent any JS on the page from accessing the // cookie - it will only be used/accessed by the HTTP transport // mechanism in use SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig(); sessionCookieConfig.setHttpOnly(true); }