Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
F5 BIG-IP Access Policy Manager Security Technical Implementation Guide
SRG-NET-000233-ALG-000115
The F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.
The F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.
An XCCDF Rule
Details
Profiles
Prose
The F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.
Low Severity
<VulnDiscussion>To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Session cookies are set only after the SSL handshake between the BIG-IP APM system and the user has completed, ensuring that the session cookies are protected from interception with SSL encryption. To ensure that the client browser will not send session cookies unencrypted, the HTTP header that the BIG-IP APM uses when sending the session cookie is set with the secure option (default). This option is only applicable to the LTM+APM access profile type.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>