ASM best practice to allow \ in new sec-ch-ua header

Question

Hello,&nbsp;Recently some of our developers have upgraded to msedge dev then beta, and these browsers (and maybe more chromium based browsers in dev/beta mode) are adding a specific Brand in the sec-ch-ua header, like this :sec-ch-ua:&nbsp;"Chromium";v="85", "\Not;A\"Brand";v="99", "Microsoft Edge";v="85"&nbsp;The F5 ASM we use here (we use V11 and V13, but this problem appeared for now on our V11 boxes), does block these request as it matches the "IIS Backslash" vulnerability.&nbsp;What does F5 recommend in this situation ? We had 2 choices (but maybe there's a 3rd one that's better and we didn't think about it), and we went for the 2nd one :1st one : disable blocking on IIS Backslashes vulnerability2nd one (current workaround) : disable all checks on the header itself.&nbsp;Does F5 have a specific recommendation for this situation ?&nbsp;Thanks in advance,Regards,Thierry&nbsp;

ivan_chernenkii · Answer

Hello,&nbsp;As I see, current workaround is pretty good. Also, you can disable only "Url Normalization" for "sec-ch-ua" header - it should be enough.&nbsp;Thanks, Ivan

thierry · Answer

Thanks a lot, Ivan.

Forum Discussion

ASM best practice to allow \\ in new sec-ch-ua header

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

AS3 Best Practice

Five Ways to Automate F5OS with Ansible: A Practical Guide

F5 Certified Practice Exams

ASM: Header 'sec-ch-ua' has no value

Cipher Suite Practices and Pitfalls

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS