Cookie Name Exception

We are working through migration to Cloudflare from Azure Front Door and one of the pain points we had with AFD was how exceptions could be configured against cookies. Specifically, the exception could be written against a cookie name but the exception was for the cookie’s value, not the name of the cookie itself. The link below explains it fairly when but essentially there are nonce cookies that can trigger overly sensitive rules (i.e. contain --) and the algorithms that generate these names are not going to change. It is desirable to not disable the rules globally but I am having trouble finding an example of how to exempt a cookie with a certain prefix (i.e. starts with “OpenIdConnect”) whose full name violates any number of OWASP rules.

Example: OpenIdConnect.Nonce.<String That Violates Rules(s) Here>

Does anyone have an example of what the rule would look like?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.