Secure Web Application from XSS Attack through following F5 iRules

There are multiple ways to secure cookie in your application, but the easiest way is always at network edge like F5.

Following example is given based on your Web Application cookie start with JSESSIONID. If you have something else, you can modify accordingly.

The following will add HTTPOnly and Secure flag in Set-Cookie starting with JSESSIONID in header response.

To implement using iRule

  • Create irule with following
 HTTP::cookie secure "JSESSIONID" enable
    set ck [HTTP::header values "Set-Cookie"]
    HTTP::header remove "Set-Cookie"
    foreach acookie $ck {
       if {$acookie starts_with "JSESSIONID"} {
          HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
       } else {
          HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
  • Associate irule to respective Virtual Server

To verify

You can use any web developer tool to view Response headers and ensure you see following. You can also use HTTP Header online tool to confirm this.

Interested in learning more about F5 administration? Check out this online course by Tyco Taygo.