HTTP::header - match on 'Cookie' header entry

Question

I'd like to use a rule to block client to REST server connections, as only server-to-server should be allowed for REST services.  Does the following look sound?  The idea is to block client connections.  This would most likely still allow other client connections, such as curl, wget, etc. so I'm not sure on how to create a rule that's more broad-sweeping than this.  Any suggestions would be greatly appreciated!&nbsp;
If header 'Cookie' contains ‘deviceType=desktop’, reject the connection.
when HTTP_REQUEST {
   if {[string match -nocase "deviceType=desktop" [HTTP::header "Cookie"]]} {
       reject
      }
}&nbsp;
Thank you!
Eric&nbsp;

kevin_stewart · Answer

I believe the syntax might look a bit more like this:
when HTTP_REQUEST {
    if { ( [HTTP::cookie exists deviceType] ) and ( [HTTP::cookie value deviceType] contains "desktop" ) } {
        reject
    }
}

But then it's more accurate to say that it'll be challenging at best to absolutely prevent this, assuming that a client can modify any part of the request. The client can add/remove/modify any headers and cookies, so it's virtually impossible to secure an application using HTTP values in this way. And as long as you understand and accept this, you might just be better off limiting access by the User-Agent header, if service and browser UAs are indeed different.

kai_wilke · Answer

Hi Eric,
you may try the syntax below, to "soft-block" the most common Browser-based User-Agents...
when HTTP_REQUEST {
    if { ( [HTTP::header value "User-Agent"] contains "Mozilla" ) or 
         ( [HTTP::header value "User-Agent"] contains "Opera" ) } then {
         reject
    }
}

Note: I've to second Kevin's opinion. Using such an ACL is more or less just providing Security-by-Obscurity... 😉
Note: Test the iRule carefully to not block legitimate API traffic. The chances are there, that a developer is using somehow a browser-based User-Agent string...
Cheers, Kai

eric_weiss_2486 · Answer

Thank you, Kevin and Kai!  This is excellent, and precisely what I was looking for.  Your cautionary info is also noted.&nbsp;

Forum Discussion

HTTP::header - match on 'Cookie' header entry

3 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

GIS app loading very slow through F5 LTM

HTTP2 iRule manipulation

Apmd memory and swap grows over time

ASM bd daemon crash while processing request body (SIGSEGV) – anyone seen similar behavior?

F5 APM irule to log the VPN session parameters

Related Content

F5 XC Distributed Cloud HTTP Header/Cookie manipulations and using the client ip/user headers

Log Http Headers

(HTTP) Redirection via Arbitrary Host Header

F5 NGINX HTTP Request Header Rules: What’s Permitted and What’s Not

APM HTTP Connector request and HTTP Headers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS