Forum Discussion
F5 APM cookie F5_ST not supporting httpOnly - is there any explicit documentation on that?
Env: LTM 13.1.3.6
Hi - we are working to address with our Security department a vulnerability scan, which has pointed out that during APM-managed login sessions the cookie "F5_ST" is set without the httpOnly option.
In the documentation for the APM cookies (https://support.f5.com/csp/article/K15387), it describes how this cookie is processed by Javascript - which makes complete sense of why it doesn't support httpOnly.
However, we would benefit from an explicit statement to that effect. Is anyone aware of any such statement in F5 documentation? I have searched, but have not been able to find anything. I also can't find anything in devcentral (except individuals asking how to set httpOnly, without receiving any replies). If anyone is aware of any statement, even if not official, that supports my assertion that httpOnly cannot be used, that would be helpful in absentia of an explicit statement.
Thank you!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com