Forum Discussion
DrewW
Nimbostratus
NimbostratusHeader name with no header value
Hi, We had to create a new App Security policy because technical support couldn't tell us why our old one wasn't doing anything after several days of working with them. I am seeing some events ...
Erik_Novak
Employee
EmployeeIn terms of RFC2616 compliance, the empty From: header in your example is probably harmless, but in some cases headers with empty values can cause errors in some parsers. That is why it triggers a violation. You can turn off the block flag for the violation "Header name with no header value" if you determine it is causing a false positive. You have control over the blocking action for every single violation on the Learning and Blocking Settings page. According to RFC, the From request-header field, if given, SHOULD contain an Internet e-mail address for the human user who controls the requesting user agent. The address SHOULD be machine-usable, as defined by "mailbox" in RFC 822 [9] as updated by RFC 1123. Again, probably not malicious but informative about the clients that are accessing your app.
DrewWNimbostratus
NimbostratusSo does Google's crawler actually send it with an empty From: or not? Any clue?
It could just be another scraper saying that its Google.
MarvinCirrocumulus
Hi Drew had similar issue client is buying these Google services but for some Google crawlers the from header was empty.
This was of course spoiling the WAF logs with false alerts so what we did is to strip the empty header with Irule when it comes in (bit nasty)
The another thing that should be improved is to mark this BOT as trusted as by default it is untrusted and you cannot overwrite that according to F5 support. So I agree with you this should be improved cause when you acquire their services it should be marked as trusted in my opinion.