Showing results for 
Search instead for 
Did you mean: 

Force Secure cookie

Not applicable

Force Secure cookie

I have a backend IIS pool that uses port 80, behind a virtual server that decrypts the SSL. I want to ensure that the cookies the web site returns have the 'secure' flag set on them. What can I use in a response rule to enfore this? I've asked our developers to force it on their applications, but it's a long way down their task list and I'd find it easier to enforce this globally on the vTM with a rule.


Thanks in advance,


Baptiste Assmann
Occasional Contributor

Re: Force Secure cookie

Hi Dan,


You can do this through a Response Rule:


$setcookie = http.getResponseHeader( "Set-Cookie" );

if (! string.contains($setcookie, "Secure")) {
  $setcookie = $setcookie . "; Secure";
  http.setResponseHeader("Set-Cookie", $setcookie);




Occasional Contributor

Re: Force Secure cookie

An alternative (straightforward) approach would be to set the "cookie!secure" flag on the "protocol settings" page of the virtual server to "set the secure flag".

cookie settings for http virtual servers