Forum Discussion
Bob_10976
Nimbostratus
NimbostratusSensitive Cookie Missing 'HTTPONLY' Attribute
We were recently dingged by an audit scan for "Sensitive Cookie Missing 'HTTPONLY' Attribute" not being set on several of our websites, which pretty much is spread accross several different VS in the...
nitass
Employee
EmployeeBased on what I'm seeing this is may be a false Positive, right?doesn't audit have log to prove what they found?
anyway, to prevent adding duplicate httponly, you may check whether there is before adding.
e.g.
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.79:80
ip protocol 6
rules myrule
profiles {
http {}
tcp {}
}
}
[root@ve10:Active] config b pool foo list
pool foo {
members 200.200.200.101:80 {}
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when HTTP_RESPONSE {
set ck [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach acookie $ck {
if { [string tolower $acookie] contains "httponly" } {
HTTP::header insert "Set-Cookie" "${acookie}"
} else {
HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
}
}
}
}
[root@ve10:Active] config curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:54:25 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: foo1=123456; path=/; HttpOnly
Set-Cookie: foo2=abcdef; path=/
Content-Type: text/html; charset=UTF-8
[root@ve10:Active] config curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:54:30 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
Set-Cookie: foo1=123456; path=/; HttpOnly
Set-Cookie: foo2=abcdef; path=/; HttpOnly