HTTP header name with underscore cannot be masked in AWAF logging
I'm currently facing the situation that I need to mask the value of several http headers in AWAF logging. I have setup both headers in identical manner within the application security policy, both with "Mask Value in Logs" option enabled:
Now, when I issue an http request like that with both headers being present...
...one of those headers will get masked/obfuscated in the logging, the other will not:
I suppose this is due to the underscore in the http header name. I am aware that the use of underscores in http header names is discouraged and considered deprecated, but nevertheless these are present out there and there has to be a solution to this.
TMOS version is 15.1.5
Has anybody experienced a similar situation and knows how to circumvent this? Any help is appreciated.
Many thanks in advance,