/
How to Secure HTTP Cookies

How to Secure HTTP Cookies

Jan 08, 2026

Overview

Cookies provide a mechanism to store session state information on client navigation platforms such as browsers and other user agents. Cookies can store user preferences or shopping cart items, and can include sensitive information like registration or login credentials. If a cookie can be modified, the system can become vulnerable to attacks, and sensitive information can be stolen.

How Cookie Security Works

The Barracuda Web Application Firewall cookie security is transparent to back-end servers. When a server inserts a cookie, the Barracuda Web Application Firewall intercepts the response and encrypts or signs the cookie before delivering it to the client. When a subsequent request from the client returns this cookie, the Barracuda Web Application Firewall intercepts the request and decrypts it or verifies its signature. If the cookie is unaltered, the Barracuda Web Application Firewall forwards the original cookie to the server. Altered cookies are removed before the Barracuda Web Application Firewall forwards the request to the server.

Encryption prevents both viewing and tampering with cookies, so it prevents the client from accessing cookie values. For clients who need to access cookie values, use signing to allow it. When signing cookies, the Barracuda Web Application Firewall actually forwards two cookies to the client browser, one plaintext cookie and one signed cookie. When a subsequent request from the client returns the cookies, if either cookie is altered, signature verification fails. The Barracuda Web Application Firewall removes the modified/tampered cookie and retains only the original cookie set by the server before forwarding the request to the server.

Cookie Security Interaction with Other Security Features

Encrypting a cookie may change the length of the cookie, but the number of headers in the message remains unchanged. When a cookie is signed, the length of the cookie changes and one or more headers is appended to the forwarded message. If the SECURITY POLICIES > Request Limits configuration specifies constraints on the number or length of HTTP headers, a signed or encrypted cookie may violate the request limits and result in unwanted rejection of messages. Messages thus rejected are logged as Cloak under Action on the BASIC > Web Firewall Logs page.

Configure Cookie Security

To encrypt or sign cookies and reject tampered cookies, enable cookie security using the following steps:

  1. Click Save.

Securing Barracuda WAF Generated Internal Cookies:

Internal cookies are not vulnerable because they are Encrypted and are never passed to the back-end servers. Although the vulnerability assessment tools may report these cookies as not secure because of the absence of attributes like HTTP ONLY or Secure, these are always false positives and can be safely ignored.

Related Articles

Cookie Tampering Attacks Logged When Barracuda Web Application Firewall Is Initially Deployed

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.