Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Question

Hello,&nbsp;
We have a virtual server setup on loadbalancer version 11.5.1. The http vip is redirecting to https using the HTTP Policy httptohttps. The https vip configured with SSL Profile (Client) and Using Default Persistence Profile of the source address affinity type.&nbsp;
How do I configure the HTTPS VIP so that that all cookies are sent via SSL during an SSL session have the "Secure" attribute.&nbsp;
Thanks.&nbsp;

kai_wilke · Answer

Hi ReynaldoQ,&nbsp;
you may take a look to K11324 [click me]. The solution article explains how to set the secure flag on response cookies and also provides an iRule for this task.&nbsp;
In addition to this you may want to adopt Strict Transport Security / HSTS on your HTTP Profile. Enabling HSTS will make sure that your clients will always connect to your site via HTTPS. When using HSTS the "secure" cookie flag could be considered as obsolete...&nbsp;
HTTP Profile Settings: See "Strict Transport Security" Section&nbsp;
https://support.f5.com/csp/article/K40243113&nbsp;
Cheers, Kai&nbsp;

Forum Discussion

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

1 Reply

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Using ChatGPT for security and introduction of AI security

Add SameSite attribute to APM Cookies

ChatGPT and security - This Week in Security Feb 18th to Feb 25th, 2023

Avoiding Common iRules Security Pitfalls

Set the SameSite Attribute for LTM Persistence Cookies