Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2
Fixed In:
16.1.0, 15.1.5, 14.1.4.5
Opened: Mar 03, 2020 Severity: 3-Major
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.
Bot Defense Profile is attached to a virtual server.
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header. It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.
The profile now adds the P3P header only to Internet Explorer browsers. There is still the option to add the header to all browsers (i.e., keep the old behavior, in case there is another browser that requires this) by setting a db variable: tmsh modify sys db botdefense.always_add_p3p_header value enable