HTTP Headers - HTTP Compliance Failed

Question

GET /xy/login.html?lang=ar HTTP/1.1
Host: www.abcdef.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; HTC One Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Referer: https://www.abcdef.com/ar/abc-def
Accept-Language: ar-SA,en-US;q=0.8
Cookie: **********************
DNT: 1
X-Requested-With: com.htc.sense.browser
X-Wap-Profile:&nbsp;
Can we ignore this X-Wap-Profile? or it is necessary header.&nbsp;

kai_wilke · Answer

Hi MSZ,
It may be required by your application, but only the developer of the application knows for sure. For further reading on the purpose of the X-Wap-Profile header see...
https://en.wikipedia.org/wiki/UAProf
But the header should have at least a value to become RFC conform. You could now either allow non empty headers in ASM, or use an iRule to remove every empty instance of "X-Wap-Profile" before passing the request to ASM.
when HTTP_REQUEST {
    if { [HTTP::header value "X-Wap-Profile"] eq "" } then {
        HTTP::header remove "X-Wap-Profile"
    }
}

Cheers, Kai

msz · Answer

There must be a value for every Header for Compliance. We cannot remove  check of blocking on Header Compliance. 
If we ignore this then, will it be harmful for application?
Kindly suggest.&nbsp;

kevin_stewart · Answer

You have two options:&nbsp;
Remove the header if it exists, or&nbsp;
Add some value to the header if its value is null&nbsp;
In either case, how it may or may not affect the application is dependent on the application itself.&nbsp;

kai_wilke · Answer

It would strongly depend on your application. If the application is well designed then it would not be a problem for the application to receive empty http headers. But I also guess it would be not a problem to just remove the empty header using the provided iRule or even change the header to have a value of "\"\"" (its a double double-quote after substitution).

Cheers, Kai

kevin_stewart · Answer

How to convey this to application team.? &nbsp;

You first have to define what application needs this header, if the header is necessary for the application to function, and/or if it's acceptable to add a value to it. This information will likely come from the application team directly. Or as is usually the case, because they won't know, after simply testing your header removal or value-adding iRule code.&nbsp;

Is there any way to ignore individual http header?&nbsp;

Again, you're asking about compliance and functionality, which are sometimes contrary to one another. If the application needs it, and it needs the value to be blank, then you're simply not going to get compliance. &nbsp;

I am unable to find such option in WAF.&nbsp;

Not sure what you're asking here.&nbsp;

Forum Discussion

HTTP Headers - HTTP Compliance Failed

5 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

BIG-IP security hardening and compliance checks

Implementing F5 NGINX STIGs: A Practical Guide to DoD Security Compliance

Making WAF Simple: Introducing the OWASP Compliance Dashboard

Meeting the Federal Quantum Challenge: How F5 Enables Compliance with New Government Mandates

Maintaining BIG-IP's Golden Compliance Configuration in Financial Services

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS