cookie encryption using Http profile and irule

Question

Hi,&nbsp;
Tried cookie encryption using the irule and http profile. However, When ran a vulnerability scanner from the internet the cookie is leaking internal Ips etc. Not sure what am is missing? Please help.&nbsp;
ltm rule cookie_domain {
    partition test-dmz
    when HTTP_REQUEST {
  set domainname [HTTP::host]
}
}&nbsp;
ltm rule cookie_secure {
    partition test-dmz
    when HTTP_RESPONSE {
  foreach aCookie [HTTP::cookie names] {
    HTTP::cookie secure $aCookie enable
  }
}
}&nbsp;
ltm persistence cookie Com_cookie {
    app-service none
    defaults-from cookie
    expiration 0
}&nbsp;
create ltm profile http http-cookieencrypt defaults-from http encrypt-cookies add { Com_cookie } encrypt-cookie-secret "Password01"&nbsp;
ltm profile http http-cookieencrypt {
    app-service none
    defaults-from http
    encrypt-cookie-secret Password01
    encrypt-cookies { Com_cookie }
}&nbsp;

yann_desmarest · Answer

Hello, &nbsp;
You encrypt everything except persistence cookies. You should add encryption within the Cookie persistence profile assigned to your VS.&nbsp;

Forum Discussion

cookie encryption using Http profile and irule

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Encrypt HTTP cookies with dynamic names

Cookie Encryption Across Pools and Services

Re: SYN Cookie operation

Re: LTM SYN Cookie Configuration

Lock and Key - Encrypting EBS Disk Volumes for BIG-IP AWS Deployments

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS