Forum Discussion

Eric_Weiss_2486's avatar
Eric_Weiss_2486
Icon for Nimbostratus rankNimbostratus
Feb 15, 2016

HTTP::header - match on 'Cookie' header entry

I'd like to use a rule to block client to REST server connections, as only server-to-server should be allowed for REST services. Does the following look sound? The idea is to block client connectio...
BIG-IP
iRules
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 15, 2016

I believe the syntax might look a bit more like this:

when HTTP_REQUEST {
    if { ( [HTTP::cookie exists deviceType] ) and ( [HTTP::cookie value deviceType] contains "desktop" ) } {
        reject
    }
}

But then it's more accurate to say that it'll be challenging at best to absolutely prevent this, assuming that a client can modify any part of the request. The client can add/remove/modify any headers and cookies, so it's virtually impossible to secure an application using HTTP values in this way. And as long as you understand and accept this, you might just be better off limiting access by the User-Agent header, if service and browser UAs are indeed different.