HTTP Protocol Compliance Failed: Header name with no header value

Hello,

What is the question ? You effectively have an header named UserID and there is no value assigned to it so ASM trigger this blocking action. You can uncheck this setting within "Security >> Blocking >> Settings >> HTTP Protocol Compliance Failed" section

Hello,

What is the question ? You effectively have an header named UserID and there is no value assigned to it so ASM trigger this blocking action. You can uncheck this setting within "Security >> Blocking >> Settings >> HTTP Protocol Compliance Failed" section

Hello,

Unfortunately, you can do it only using an irule . The HTTP Headers section can't help as you can just disable Evasion Techniques from checking

You can use an irule to override the blocking action : https://devcentral.f5.com/wiki/iRules.ASM__unblock.ashx

or sanitize the UserID header when it's blank

If you know exactly what circumstances you will see a blank value for that header, you might be able to utilize that logic to use a different ASM policy when you expect a blank value. Local Traffic Policies give you some level of logic control without using iRules and if the logic is applicable, you could create a separate policy where that violation was disabled, enable that ASM policy using the traffic policy logic and use your main policy at other times. This would have less impact than iRules.

Basically the idea would be to use traffic policies to determine which ASM policy to use. One policy would have that violation enabled and another would have it disabled. The local traffic policy would then enable the appropriate policy.

This is all dependent upon the ability to determine under what conditions that header would show up as blank - certain urls, certain cookies, etc.