Forum Discussion

daboochmeister's avatar
Jul 27, 2021

F5 APM cookie F5_ST not supporting httpOnly - is there any explicit documentation on that?

Env: LTM


Hi - we are working to address with our Security department a vulnerability scan, which has pointed out that during APM-managed login sessions the cookie "F5_ST" is set without the httpOnly option.


In the documentation for the APM cookies (, it describes how this cookie is processed by Javascript - which makes complete sense of why it doesn't support httpOnly.


However, we would benefit from an explicit statement to that effect. Is anyone aware of any such statement in F5 documentation? I have searched, but have not been able to find anything. I also can't find anything in devcentral (except individuals asking how to set httpOnly, without receiving any replies). If anyone is aware of any statement, even if not official, that supports my assertion that httpOnly cannot be used, that would be helpful in absentia of an explicit statement.


Thank you!

No RepliesBe the first to reply