The cookie does not contain the "HTTPOnly" attribute.

Question

Hi All,
we got vulnerability as below in our vulnerability scan&nbsp;
Threat
 The cookie does not contain the "HTTPOnly" attribute.&nbsp;
Impact
 Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.&nbsp;
Solution
 If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.&nbsp;
But   We need both the HTTPOnly and Secure flags set on the cookies. can you please let me know if this can be achieved if i made the setting http only on the cookie ? or please suggest me if any thing else need to be taken care &nbsp;

vvskaladhar_488 · Answer

Hi All,&nbsp;
As per my understanding "HTTPOnly" attribute to cookies can be inserted Only by using ASM  as I dont see this option in LTM . please let me know if there is any way to solve above vulnerability.&nbsp;

maneesh_72711 · Answer

Check this one from Aaron.
https://devcentral.f5.com/questions/cookie-persistence-sendfor-http-only&nbsp;

Forum Discussion

The cookie does not contain the "HTTPOnly" attribute.

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

google-visualization-issues

Related Content

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute

Set the SameSite Attribute for LTM Persistence Cookies

Format objectGUID attribute from hexadecimal to bindable string (hyphen-separated format)

Changing samesite attribute on ASM TS Cookie