Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
May 15, 2012

Cookie security - Encryption vs Secure+HttpOnly

Howdy,     We're currently running a tweak version of the rule here https://devcentral.f5.com/weblogs/J...style.aspx on our 10.2 LTM's. it doesn't work well and has never been well integrated in...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 01, 2012
Hi Chris,

 

 

As you said, HttpOnly is an attempt to mitigate XSS. Encrypting cookies mitigates cookie value tampering and possibly information disclosure if you're using cookie values with meaningful data (as opposed to session IDs, etc). But encryption does nothing to prevent use of another user's cookies by a malicious user.

 

 

There is a fairly significant performance hit with encrypting cookie values so I'd only use it if you're concerned about information disclosure or cookie tampering.

 

 

Aaron