Forum Discussion

Nimbostratus

Dec 29, 2015

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Vulnerability scanners in our environment have flagged applications as needing the httponly and secure attributes set so I started investigating what I needed to do. I discovered the ASM cookie sett...

Nimbostratus

Dec 29, 2015

Your question seems to be: since the ASM cookies aren't part of the application per se, do you need to adjust them or can you get by without adjusting them? The answer is almost certainly that yes, you need to adjust them - the scanner doesn't care where they come from; it was told to scan an IP, it sees cookies it doesn't like at that IP, it reports them. Unless you can somehow convince your scanner vendor to except that finding, which is unlikely.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

SSO login for APM Profiles

Virtual Server Configuration requirements for ISO 8583 traffic (Single persistent TCP session)

threat hunting guide

Webtop which has VNC for macos users

Floating IP responds from wrong VLAN/trunk

Related Content

Introducing the F5 Application Study Tool (AST)

Set the SameSite Cookie Attribute for Web Application and BIG-IP Module Cookies

System Prerequisites for Deploying the Application Study Tool

Application Study Tool: Make Grafana Listen on HTTPS

How to add Httponly and Secure attributes to HTTP cookies (for 11.5.x)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS