• F5

    Deliver and secure every app

  • DevCentral

    Connect & learn in our hosted community

  • MyF5

    Your key to everything F5, including support, registration keys, and subscriptions

  • NGINX

    Learn more about NGINX Open Source and read the community blog

  • Community Forum

    Engage with the broader NGINX community for discussions and troubleshooting

Cookie enforcement

This topic describes the cookie enforcement feature for F5 WAF for NGINX.

F5 WAF for NGINX generates its own cookies and adds them on top of the application cookies, referred to as enforcer cookies.

You can control the attributes within these cookies.

Attribute name Default value Alternate values Policy defaults
httpOnlyAttribute true false true in all policies
secureAttribute never always always in the strict and API policies
sameSiteAttribute lax none-value, strict, none strict in the strict policy, none removes the attribute entirely

In this example, HttpOnly is configured as true, Secure as never, and SameSite as strict.

json
{
    "policy": {
        "name": "cookie_attrs_configured",
        "template": { "name":"POLICY_TEMPLATE_NGINX_BASE" },
        "enforcer-settings": {
            "enforcerStateCookies": {
                "httpOnlyAttribute": true,
                "secureAttribute": "never",
                "sameSiteAttribute": "strict"
            }
        }
    }
}
View source
Edit this page
Create a new issue