Forum Discussion
nitass
Nov 02, 2012Employee
Based on what I'm seeing this is may be a false Positive, right?doesn't audit have log to prove what they found?
anyway, to prevent adding duplicate httponly, you may check whether there is before adding.
e.g.
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.79:80
ip protocol 6
rules myrule
profiles {
http {}
tcp {}
}
}
[root@ve10:Active] config b pool foo list
pool foo {
members 200.200.200.101:80 {}
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when HTTP_RESPONSE {
set ck [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach acookie $ck {
if { [string tolower $acookie] contains "httponly" } {
HTTP::header insert "Set-Cookie" "${acookie}"
} else {
HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
}
}
}
}
[root@ve10:Active] config curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:54:25 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: foo1=123456; path=/; HttpOnly
Set-Cookie: foo2=abcdef; path=/
Content-Type: text/html; charset=UTF-8
[root@ve10:Active] config curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:54:30 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
Set-Cookie: foo1=123456; path=/; HttpOnly
Set-Cookie: foo2=abcdef; path=/; HttpOnly