Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

F5 iRule to Secure Cookie with HTTPOnly and Secure

Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Secure Web Application from XSS Attack through following F5 iRules

There are multiple ways to secure cookie in your application, but the easiest way is always at network edge like F5.

Following example is given based on your Web Application cookie start with JSESSIONID. If you have something else, you can modify accordingly.

The following will add HTTPOnly and Secure flag in Set-Cookie starting with JSESSIONID in header response.

To implement using iRule

  • Create irule with following
 HTTP::cookie secure "JSESSIONID" enable
    set ck [HTTP::header values "Set-Cookie"]
    HTTP::header remove "Set-Cookie"
    foreach acookie $ck {
       if {$acookie starts_with "JSESSIONID"} {
          HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
       } else {
          HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
  • Associate irule to respective Virtual Server

To verify

You can use any web developer tool to view Response headers and ensure you see following. You can also use HTTP Header online tool to confirm this.

Interested in learning more about F5 administration? Check out this online course by Tyco Taygo.

Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder