For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SL's avatar
SL
Icon for Cirrus rankCirrus
Sep 17, 2015

httponly option without http profile

Hi All   Is it at all possible to enable the httponly option other than using cookie or ASM?   Reason for the question is that I am trying to enable ASM for IBM Endpoint Manager for Remote Cont...
application delivery
ASM Advanced WAF
deployment
LTM
security
TMSH
Robert_Teller_7's avatar
Robert_Teller_7
Historic F5 Account
Oct 06, 2015

You can try enabling the HTTP Profile and then using an iRule to disable HTTP for any request that isn't RFC compliant.

I have attached a snippet that will verify that the first portion of the request contains a string followed by a forward slash.

For an HTTP Request

when CLIENT_ACCEPTED  {
    HTTP::disable

    TCP::collect 20
}
when CLIENT_DATA {
    scan [TCP::payload] {%s %c} METHOD REQUEST
    if {$METHOD ne "" && $REQUEST eq "/"}
    {
        HTTP::enable
    }

    TCP::release
}

For an HTTPS Request

when CLIENT_ACCEPTED  { HTTP::disable }
when CLIENTSSL_CLIENTHELLO { SSL::collect 20}

when CLIENTSSL_DATA {
    scan [SSL::payload] {%s %c} METHOD REQUEST
    if {$METHOD ne "" && $REQUEST eq "/"}
    {
        HTTP::enable
    }
    SSL::release
}
SL's avatar
SL
Icon for Cirrus rankCirrus
Oct 20, 2015
Hi Robert I created and enabled the iRule, it still says that I need to enable a SSL Profile