Forum Discussion

Cirrus

Feb 12, 2019

Content-Type header in body

Hello guys, I have an application that behaves not really RFC compliant, crafting request with Content-Type header after a CRLF. The request is a multipart/form-data. ASM is then considering thi...

ASM Advanced WAF

security

samstep

Cirrocumulus

Mar 04, 2019

RFC violation is pretty serious and the risks are quite high - just Google for "CRLF Injection" to see the dangers of such attacks.

You should really speak to application developers to get them to fix this and remove the CRLF injection vulnerability. If fixing the application code is not possible then you need to very carefully consider the exception - you might need to do it with an iRule and only allow the exception from Trusted IP address rather than the whole Internet.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Content-Type header in body

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

T4 and ALL tenant images

Unable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming

Managing iRules configuration

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

[ASM] - How to disable the SQL injection attack signatures

Related Content

x-content-type-options

Content type tracking

exclude HTTP::header value Content-Type] equals "text/xml; charset=utf-8" from SSL redirect

change content type for specific uri in http response

Log Http Headers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS