cookie & requestVerificationToken is set without the HttpOnly Cookie parameter

Question

Pen test finding below: 
How to set cookie &amp; requestVerificationToken with the HttpOnly Cookie parameter on LTM running on 11.6&nbsp;
Risk : When a cross-site scripting vulnerability is present, an attacker may unnecessarily be able to retrieve sensitive information from cookies. &nbsp;
Recommendation: Supply the HttpOnly cookie parameter when the server sets a cookie through Set-Cookie.&nbsp;
I have found how to set HttpOnly with i-rule but not sure what is RequestVerificationToken &gt;&nbsp;
Can sonmeone please help me with RequestVerficationToken what is this and how to fix it?&nbsp;

chris_grant · Answer

If you're not running ASM, you may need to look to your application, but if you're running ASM, we can help pretty easily:  https://support.f5.com/csp/article/K11930&nbsp;

Forum Discussion

cookie & requestVerificationToken is set without the HttpOnly Cookie parameter

Recent Discussions

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Related Content

Brute Force protection for single parameter like OTP

Wildcard Parameter signature attack

Parameter Value - Regular Expression

AWAF Path Parameters with OPENAPI json file

HTTP auth - Calling external API with parameters

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS