Forum Discussion

Nimbostratus

Nov 29, 2017

How to fix secure cookie parameter - finding of pen test

We had a pen test get done on newly deployed application. and one of their finding is When cookies are set which are used on the encrypted (HTTPS) part of the website, the Secure cookie paramete...

application delivery

LTM

AshuA_246482

Nimbostratus

Nov 29, 2017

Another finding : cookie & requestVerificationToken is set without the HttpOnly Cookie parameter

question : How to set cookie & requestVerificationToken with the HttpOnly Cookie parameter on LTM running on 11.6 Risk : When a cross-site scripting vulnerability is present, an attacker may unnecessarily be able to retrieve sensitive information from cookies. Recommendation: Supply the HttpOnly cookie parameter when the server sets a cookie through Set-Cookie.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

How to fix secure cookie parameter - finding of pen test

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Kubernetes cert-manager + LetsEncrypt + F5

ACME DNS RFC-2136 Let's Encrypt certs

MAC users unable to access Internet when on Netskope

Could not communicate with the system. Try to reload page.

F5 mssql health monitor failing

Related Content

Quarterly Security Notification October 2025

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

BIG-IP security hardening and compliance checks

HTTP Multipart and Security Implications

What is Shape Security?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS