The cookie does not contain the "HTTPOnly" attribute.

Question

Hi All,
we got vulnerability as below in our vulnerability scan&nbsp;
Threat
 The cookie does not contain the "HTTPOnly" attribute.&nbsp;
Impact
 Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.&nbsp;
Solution
 If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.&nbsp;
But   We need both the HTTPOnly and Secure flags set on the cookies. can you please let me know if this can be achieved if i made the setting http only on the cookie ? or please suggest me if any thing else need to be taken care &nbsp;

vvskaladhar_488 · Answer

Hi All,&nbsp;
As per my understanding "HTTPOnly" attribute to cookies can be inserted Only by using ASM  as I dont see this option in LTM . please let me know if there is any way to solve above vulnerability.&nbsp;

maneesh_72711 · Answer

Check this one from Aaron.
https://devcentral.f5.com/questions/cookie-persistence-sendfor-http-only&nbsp;

Forum Discussion

The cookie does not contain the "HTTPOnly" attribute.

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute

Set the SameSite Attribute for LTM Persistence Cookies

Changing samesite attribute on ASM TS Cookie

LDAP Query for Attribute

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS