cancel
Showing results for 
Search instead for 
Did you mean: 

F5 APM cookie F5_ST not supporting httpOnly - is there any explicit documentation on that?

daboochmeister
Nimbostratus
Nimbostratus

Env: LTM 13.1.3.6

 

Hi - we are working to address with our Security department a vulnerability scan, which has pointed out that during APM-managed login sessions the cookie "F5_ST" is set without the httpOnly option.

 

In the documentation for the APM cookies (https://support.f5.com/csp/article/K15387), it describes how this cookie is processed by Javascript - which makes complete sense of why it doesn't support httpOnly.

 

However, we would benefit from an explicit statement to that effect. Is anyone aware of any such statement in F5 documentation? I have searched, but have not been able to find anything. I also can't find anything in devcentral (except individuals asking how to set httpOnly, without receiving any replies). If anyone is aware of any statement, even if not official, that supports my assertion that httpOnly cannot be used, that would be helpful in absentia of an explicit statement.

 

Thank you!

0 REPLIES 0