For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

toneman172_1806's avatar
toneman172_1806
Icon for Nimbostratus rankNimbostratus
Nov 29, 2017

OWASP A2 HTTP Cookie Protection

Hello all,   I'm looking for any information regarding configuration of HTTP cookie protection on ASM v12.1.2. I understand automatic policy builder includes this protection when using enhanced a...
ASM Advanced WAF
security
toneman172_1806's avatar
toneman172_1806
Icon for Nimbostratus rankNimbostratus
Nov 29, 2017

Thanks for the reply. One of the ASM controls addressing A2 is "HTTP cookie protection (Enhanced)". In the BIG-IP ASM Operations Guide (September 2017) pg. 35, the guide reads "Where applicable, the policy type that automatically includes the mechanism is listed in parenthesis". "Fundamental", "Enhanced", and "Comprehensive" are listed in parenthesis following this statement for various ASM controls in Table 4.1 OWASP Compliance which, I believe, implies that if you are not using the Automatic Policy Builder (that contains these three policy types) it must be configured manually. Since I'm using the manual method, I'm concerned that this protection is not enabled.

 

Thanks!