As per specification https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00 :
If a cookie’s name begins with “__Host-”, the cookie MUST be:
- Set with a “Secure” attribute
- Set from a URI whose “scheme” is considered “secure” by the user
agent. - Sent only to the host which set the cookie. That is, a cookie
named “__Host-cookie1” set from “https://example.com” MUST NOT
contain a “Domain” attribute (and will therefore be sent only to
“example.com”, and not to “subdomain.example.com”). - Sent to every request for a host. That is, a cookie named
“__Host-cookie1” MUST contain a “Path” attribute with a value of
“/”.
As per item 4 this means that we cannot do much here. That said, not having this security hardening doesn’t put you at risk. But it is something that you can consider for a future deployment.
If you really want to have an A+ rating here the easiest way would be to change the DocumentRoot in the apache configuration. However, all your connected clients would need to be reconnected and sharing links would stop working.