Bug ID 886865: P3P header is added for all browsers, but required only for Internet Explorer

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 16.0.0,, 16.0.1,,

Fixed In:
16.1.0, 15.1.5,

Opened: Mar 03, 2020

Severity: 3-Major


The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.


Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.


Bot Defense Profile is attached to a virtual server.


The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header. It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.

Fix Information

The profile now adds the P3P header only to Internet Explorer browsers. There is still the option to add the header to all browsers (i.e., keep the old behavior, in case there is another browser that requires this) by setting a db variable: tmsh modify sys db botdefense.always_add_p3p_header value enable

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips