Forum Discussion

Nimbostratus

Nov 19, 2014

http_only iRule no longer needed?

We have recently upgraded from a pair of 6400's running 10.2.0 to a pair of 5000s' running 11.4.0 running LTM and ASM. I had thought that at some point in between there that the http_only cookie ...

Nacreous

Nov 19, 2014

Hi,

if you use ASM security policy you can add http_only attribute by:

Security  ››  Application Security : Headers : Cookies List  ››  Edit Cookie

and set

Insert HttpOnly attribute

. But be aware that the Application Security will not check the enforcement of this attribute

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

http_only iRule no longer needed?

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

Help with an iRule to disconnect active connections to Pool Members that are "offline"

How to configure ssh access by key on F5OS

Questions on R-Series 5800s

iRule Approach to Mask Authorization Header for Bot Defense Logging – Validation Needed

Cloud Apps Protection

Related Content

Security Sidebar: Is Tor No Longer Safe?

Need to create irule

Need help with irule

F5 Certifications Mega Meta Series: The art of knowing what you need to know

Security is no longer just an IT concern, but is behaviour changing?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS