In ASP.NET Core the web.config file is gone. Instead we use project.json, which is fine.

One of the things we used to do in web.config is configuring all cookies to be HttpOnly and -- in some cases -- Secure. These options are not available in project.json.

In ASP.NET Core I would expect there to be some middleware that can handle this, but I haven't found anything.

I am pretty sure Microsoft did not overlook this feature but where is it? Can someone please fill me in?