STIGQter: STIG Summary: F5 BIG-IP Device Management 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set.

DISA Rule

SV-230217r561165_rule

Vulnerability Number

V-230217

Group Title

SRG-APP-000435-NDM-000315

Rule Version

F5BI-DM-000290

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure a policy in the BIG-IP ASM module to enable the HTTPonly flag.

Log in to the Configuration utility.

Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables

Create the variable cookie_httponly_attr.

Set the Parameter to 1.

Check Contents

If the BIG-IP ASM module is not used to support user authentication, this is not applicable.

Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables
Verify cookie_httponly_attr is set to 1.

If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set, this is a finding.

Vulnerability Number

V-230217

Documentable

False

Rule Version

F5BI-DM-000290

Severity Override Guidance

If the BIG-IP ASM module is not used to support user authentication, this is not applicable.

Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables
Verify cookie_httponly_attr is set to 1.

If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set, this is a finding.

Check Content Reference

M

Target Key

4036

Comments