How to set httponly without secure flag

Question

Please advise How to set httponly without secure flag? is the below ok?&nbsp;
when HTTP_RESPONSE {
   set var [HTTP::header values "Set-Cookie"]
   HTTP::header remove "Set-Cookie"
   foreach tcookie $var {
         HTTP::header insert "Set-Cookie" "${tcookie}; HttpOnly; "
      }
   }&nbsp;

hannes_rapp · Answer

Use HTTP::cookie httponly CookieName enable function. Ref: https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx
when HTTP_RESPONSE {
   Iterate through all server-inserted cookies. Enable the httponly option
  foreach cookieName [HTTP::cookie names] {
    HTTP::cookie httponly $cookieName enable
  }
}

Forum Discussion

How to set httponly without secure flag

1 Reply

Recent Discussions

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

Using okta as SSO to login F5 GUI

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

Related Content

Using ChatGPT for security and introduction of AI security

Auditing Security Policy Updates

HTTP Multipart and Security Implications

Using Distributed Application Security Policies in Secure Multicloud Networking Customer Edge Sites

Minimizing Security Complexity: Managing Distributed WAF Policies