For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ReynaldoQ_14206's avatar
ReynaldoQ_14206
Icon for Nimbostratus rankNimbostratus
Oct 24, 2017

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Hello,   We have a virtual server setup on loadbalancer version 11.5.1. The http vip is redirecting to https using the HTTP Policy httptohttps. The https vip configured with SSL Profile (Client) a...
application delivery
BIG-IP
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Oct 24, 2017

Hi ReynaldoQ,

 

you may take a look to K11324 [click me]. The solution article explains how to set the secure flag on response cookies and also provides an iRule for this task.

 

In addition to this you may want to adopt Strict Transport Security / HSTS on your HTTP Profile. Enabling HSTS will make sure that your clients will always connect to your site via HTTPS. When using HSTS the "secure" cookie flag could be considered as obsolete...

 

HTTP Profile Settings: See "Strict Transport Security" Section

 

https://support.f5.com/csp/article/K40243113

 

Cheers, Kai