For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dw_888_212625's avatar
dw_888_212625
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

How to set httponly without secure flag

Please advise How to set httponly without secure flag? is the below ok?   when HTTP_RESPONSE { set var [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach tcookie ...
LTM
security
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

Use 

HTTP::cookie httponly CookieName enable
function. Ref: https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

when HTTP_RESPONSE {
   Iterate through all server-inserted cookies. Enable the httponly option
  foreach cookieName [HTTP::cookie names] {
    HTTP::cookie httponly $cookieName enable
  }
}