Forum Discussion

Nimbostratus

Oct 24, 2017

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Hello, We have a virtual server setup on loadbalancer version 11.5.1. The http vip is redirecting to https using the HTTP Policy httptohttps. The https vip configured with SSL Profile (Client) a...

MVP

Oct 24, 2017

Hi ReynaldoQ,

you may take a look to K11324 [click me]. The solution article explains how to set the secure flag on response cookies and also provides an iRule for this task.

In addition to this you may want to adopt Strict Transport Security / HSTS on your HTTP Profile. Enabling HSTS will make sure that your clients will always connect to your site via HTTPS. When using HSTS the "secure" cookie flag could be considered as obsolete...

HTTP Profile Settings: See "Strict Transport Security" Section

https://support.f5.com/csp/article/K40243113

Cheers, Kai

Forum Discussion

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Recent Discussions

Errors in setup of BIGIP-NEXT CM VE on KVM

SEEK ADVICE FROM WEB BAILIFF CONTRACTOR ON STOLEN CRYPTO

AS3 Deployments (shared objects)

rSeries and tenant upgrades

iRule interpretation assistance

Related Content

Mitigation of OWASP API Security Risk: Unrestricted Access to Sensitive Business Flows using F5 XC

Auditing Security Policy Updates

HTTP Multipart and Security Implications

Using Distributed Application Security Policies in Secure Multicloud Networking Customer Edge Sites

Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio