Hi,
Thanks for this; it is pretty close to what I need. I just tried it out in the regex101.com editor and I think there might be a vulnerability: https://regex101.com/delete/ypHV2Yw6o3wHqGDQTHRPZw3r
The client could include the same cookie name in twice. This regexp would only strip out one of them. If the client sets a Javascript cookie with the same name as the HttpOnly cookie you are trying to protect then they might end up getting the secret cookie passed through to the origin server. Not sure if you can contrive a practical attack from this observation.
I have not yet found a general solution. In my case I am using the auth_request directive of Nginx so the auth_request service (a Python script) can provide the value of the onward Cookie header.
Regards,
James