Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Jul 25, 2017

Exclude specific cookie from set_cookie_header iRule

We currently apply "Secure" and "HttpOnly" via the iRule below. We now need to exclude any cookie that starts with "XSRF-TOKEN" from the "HttpOnly" portion of this iRule. Any help in syntax would b...
application delivery
devops
irules
dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Jul 26, 2017

Thank you again for your assistance, very much appreciated!! We were able to get it to work with a few tweaks. 

when HTTP_RESPONSE {
    set unsafe_cookie_headers [HTTP::header values "Set-Cookie"]
        HTTP::header remove "Set-Cookie"

        foreach set_cookie_header $unsafe_cookie_headers {
    if { $set_cookie_header starts_with "XSRF-TOKEN"} then { 
        HTTP::header insert "Set-Cookie" "${set_cookie_header}; Secure"
    } else {
        HTTP::header insert "Set-Cookie" "${set_cookie_header}; Secure; HttpOnly"
        }
    }
}
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Jul 26, 2017

    Pleased you got it working and thanks for sharing the final solution. :)

     

    MP