An Attack signature violation needs to be investigated in logs. There's zero possibility that any attack detection signature matched because you requested . Therefore the links you provided are irrelevant here. Again, you need to look into request logs and observe the signatures that were matched. Possibly the request to had a header or cookie which contained malicious data, for example, an attempt to execute Shellshock attack. Deciding on attack detection signatures is more difficult. If you trust the source, it's best to disable the attack detection signature. If not, you need to wait further and see how frequently these violations trigger, from how many different IPs and from which geographic locations those violating requests arrive, and so on. There's no rule that gives you correct answer on 100% occasions. You make a best-effort call based on the data you have/collect.