Forum Discussion

Nimbostratus

Dec 29, 2015

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Vulnerability scanners in our environment have flagged applications as needing the httponly and secure attributes set so I started investigating what I needed to do. I discovered the ASM cookie sett...

Nimbostratus

Dec 29, 2015

Your question seems to be: since the ASM cookies aren't part of the application per se, do you need to adjust them or can you get by without adjusting them? The answer is almost certainly that yes, you need to adjust them - the scanner doesn't care where they come from; it was told to scan an IP, it sees cookies it doesn't like at that IP, it reports them. Unless you can somehow convince your scanner vendor to except that finding, which is unlikely.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

SAML attributes

Automating Application Deployment with BIG-IQ

set HTTPOnly in cookie

GitOps: Declarative Infrastructure and Application Delivery with NGINX App Protect

Automate Application Delivery with F5 and HashiCorp Terraform and Consul

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS