STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP Access Policy Manager Security Technical Implementation Guide

V-260059

CAT III (Low)

The F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.

Rule ID

SV-260059r947425_rule

STIG

F5 BIG-IP Access Policy Manager Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-001664

Discussion

To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Session cookies are set only after the SSL handshake between the BIG-IP APM system and the user has completed, ensuring that the session cookies are protected from interception with SSL encryption. To ensure that the client browser will not send session cookies unencrypted, the HTTP header that the BIG-IP APM uses when sending the session cookie is set with the secure option (default). This option is only applicable to the LTM+APM access profile type.

Check Content

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the Access profile name.
5. "SSO/Auth Domains" tab.
6. Under "Cookie Options", verify "Secure" is enabled.

If the F5 BIG-IP appliance APM Policy does not enable the "Secure" cookie flag, this is a finding.

Fix Text

Configure each Access Profile to enable the "Secure" cookie flag.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the Access profile name.
5. "SSO/Auth Domains" tab.
6. Under "Cookie Options", check "Secure".
7. Click "Update".
8. Click "Apply Access Policy".