For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

stephen4f5's avatar
stephen4f5
Icon for Nimbostratus rankNimbostratus
Apr 17, 2024

Content type hearder charset=UTF-8

Hello friends,

  We have a requirement to have WAF should only allow charset=UTF-8 in the Content-Type header.  So curios does this cover by any rule in ASM policy or do we have to create a custom rule through iRule or other ?   Basically our objective to accept only ute-8 and reject rest of any.   Appreciate any inputs !!

event
security

3 Replies

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Apr 28, 2024

    Hi stephen4f5,

    Requests that do not contain charset=UTF-8 in the Content-Type header can be blocked with a custom attack signature.

  • spalande's avatar
    spalande
    Icon for Nacreous rankNacreous
    Apr 29, 2024

    Alternatively, you can also create LTM policy or iRule to reject the traffic which doesn't have that content-type header. 

  • zamroni777's avatar
    zamroni777
    Icon for MVP rankMVP
    Apr 29, 2024

    i dont think utf8-only rules is included in asm built-in rules because utf8 cannot cover all aphabets in single code, e.g. each chinese alphabet needs 3 utf8 codes.
    so you need to set custom LTM/ASM filter for it