Forum Discussion
Authorization Header Defined as Unparsable by F5_ASM
One of our development teams is adding a new OAUTH token feature to an application. Sending the JSON call with the Authorization header creates an error within F5_ASM (ver 15.13):
HTTP Validation Unparsable request content
Details Unparsable authorization header value
I also see that the Authorization header's data is masked, though there's no settings for the Authorization header in the policy. What are my best options for troubleshooting this issue?
- AlexBCTCumulonimbus
Hi,
Any chance that you've run into this bug? https://support.f5.com/csp/article/K67111200
Version 15.1.3 is one of the affected versions
Hope this helps.
- biggaragaNimbostratusFor clarification, my team has been reading through these: Disable the Unparsable request content violation You may disable the Unparsable request content violation in the affected security policies. Impact of workaround: The BIG-IP will no longer trigger violations for any unparseable content, not specifically limited to Authorization headers. Enable the 'ignore_authorization_header_decode_failure' internal parameter Consider enabling this internal parameter to ignore only failures to decode authorization headers, leaving the Unparsable request content violation enabled in the policy. There’s two options here, and we’re wondering if this is granular to do per policy or if we have to do for all policies. Could you give us clarity? Thanks
- biggaragaNimbostratus
It's not immediately clear to us whether we have the option to do the first option (disable the Unparsable request content violation) for specific policies because of how the impact sentence is phrased. Does that option cover specific policies or all policies behind F5_ASM?
Similarly with the second option, 'ignore_authorization_header_decode_failure' -- does that option cover specific policies or all policies behind F5_ASM?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com