UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set.


Overview

Finding ID Version Rule ID IA Controls Severity
V-230217 F5BI-DM-000290 SV-230217r561165_rule Low
Description
The HttpOnly attribute directs browsers to use cookies by way of the HTTP and HTTPS protocols only, ensuring that the cookie is not available by other means, such as JavaScript function calls. This setting mitigates the risk of attack utilizing Cross Site Scripting (XSS). This vulnerability allows an attacker to impersonate any authenticated user that has visited a page with the attack deployed, allowing them to potentially allowing the user to raise their permissions level. The vulnerability can be mitigated by setting HTTPOnly on the appropriate Access Policy.
STIG Date
F5 BIG-IP Device Management 11.x Security Technical Implementation Guide 2020-09-28

Details

Check Text ( C-32547r561162_chk )
If the BIG-IP ASM module is not used to support user authentication, this is not applicable.

Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables
Verify cookie_httponly_attr is set to 1.

If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set, this is a finding.
Fix Text (F-32521r561163_fix)
Configure a policy in the BIG-IP ASM module to enable the HTTPonly flag.

Log in to the Configuration utility.

Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables

Create the variable cookie_httponly_attr.

Set the Parameter to 1.