Forum Discussion
Girishb401
Nimbostratus
NimbostratusCookie Does Not Contain The "secure" Attribute on ltm vip
Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)
Please refer the list as below
1.Cookie Does Not Contain The "secure" Attribute
2.Path-Based Vulnerability
3. Session Cookie Does Not Contain the "Secure" Attribute
4.Slow HTTP POST vulnerability
I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".
K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile
If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me
Kindly help me to fix this issue
Great thanks,
Girish
Closing as duplicate with https://devcentral.f5.com/s/feed/0D51T00008GZjNySAL
spalandeNacreous
F5 will add it's own cookie in one of the following scenerios
- cookie persistence
- ASM
- APM
- custom iRule adding a cookie
If you have confirmed BIGIP is not adding any of the cookie then it must be set by the application. Ask security team for the cookie names which do not have secure/HTTPonly attributes set. If those are not added by BIGIP it can be fixed by the DEV/server team. Alternatively, BIGIP can also fix it by adding custom iRule to set these attributes in the HTTP RESPONSE event.
