Set APM Cookies to HttpOnly
During an internal PEN test of our APM implementation, our Security group was able to inject some Java script and steal the 2 APM cookies MRHSession and Last_MRHSession. We think we could prevent this by setting these cookies to HttpOnly but this option is not available in APM. Anybody run across this issue and able to resolve? Wondering if there might be an iRule that could be used here - any feedback greatly appreciated!