STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to F5 BIG-IP Access Policy Manager Security Technical Implementation Guide

V-260059

CAT III (Low)

The F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.

Rule ID

SV-260059r947425_rule

STIG

F5 BIG-IP Access Policy Manager Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-001664

Discussion

To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Session cookies are set only after the SSL handshake between the BIG-IP APM system and the user has completed, ensuring that the session cookies are protected from interception with SSL encryption. To ensure that the client browser will not send session cookies unencrypted, the HTTP header that the BIG-IP APM uses when sending the session cookie is set with the secure option (default). This option is only applicable to the LTM+APM access profile type.

Check Content

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the Access profile name.
5. "SSO/Auth Domains" tab.
6. Under "Cookie Options", verify "Secure" is enabled.

If the F5 BIG-IP appliance APM Policy does not enable the "Secure" cookie flag, this is a finding.

Fix Text

Configure each Access Profile to enable the "Secure" cookie flag.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the Access profile name.
5. "SSO/Auth Domains" tab.
6. Under "Cookie Options", check "Secure".
7. Click "Update".
8. Click "Apply Access Policy".