F5 iRule to Secure Cookie with HTTPOnly and Secure

Secure Web Application from XSS Attack through following F5 iRules

There are multiple ways to secure cookie in your application, but the easiest way is always at network edge like F5.

Following example is given based on your Web Application cookie start with JSESSIONID. If you have something else, you can modify accordingly.

The following will add HTTPOnly and Secure flag in Set-Cookie starting with JSESSIONID in header response.

To implement using iRule

Create irule with following

when HTTP_RESPONSE {
 HTTP::cookie secure "JSESSIONID" enable
    set ck [HTTP::header values "Set-Cookie"]
    HTTP::header remove "Set-Cookie"
    foreach acookie $ck {
       if {$acookie starts_with "JSESSIONID"} {
          HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
       } else {
          HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
       }
    }
 }

Associate irule to respective Virtual Server

To verify

You can use any web developer tool to view Response headers and ensure you see following. You can also use HTTP Header online tool to confirm this.

Interested in learning more about F5 administration? Check out this online course by Tyco Taygo.

Chandan Kumar
Contributor
- LinkedIn
Chandan Kumar is a founder of Geekflare. He is a technology enthusiast and entrepreneur who is passionate about helping businesses and individuals around the world.