Forum Discussion

Aurel's avatar
Icon for Cirrus rankCirrus
Jun 26, 2019

Unparsable request content - which security tradeoff ?

Hello all,


I am facing a violation for URL length exceeding the default ASM (2048) value.

Options to deal with this seems to be :

  • increasing the whole system variable value of 2048
  • Disable the HTTP compliance check "Unparsable request content" that implies removal of several others HTTP checks for the whole policy.
  • Disabling ASM for the specified URI


What do you think that would be the best security tradeoff ?

Having no ASM at all for an URI, or releasing some HTTP checks on the whole policy ? or increasing default system value and then increasing ASM load.


thanks a lot for any thought


4 Replies

  • Hi Aurel and santoshmashetti  , 

    The best security tradeoff is to define this URI(s) in ASM Microservices and disable HTTP compliance check under this URI only. 

    Look at here for more details :

    doing this narrow the attack service for your device and provide an optimal tradeoff for your policy. 
    But make sure this length is valid in the violation is a false positive.



  • JG's avatar
    Icon for Cumulonimbus rankCumulonimbus

    There could be a third option,i.e. fix the application and make it use the POST method.

    • Aurel's avatar
      Icon for Cirrus rankCirrus

      Hi JG, Absolutely. I talked to the app team before, and this behaviour would be consequence of mini applications inside the application page. I will make them aware of the security issue that this implies.


      • santoshmashetti's avatar
        Icon for Nimbostratus rankNimbostratus

        Hi Aurel,JG

        This is Santosh.

        I am new to F5, I am also facing the same issue. I can ask the application team to make it as a post method. But my question is in details of this violation it is showing "URL length: 3610 exceeded maximum limit of: 3096". I am bit curious how this 3610 is been calculated. I tried to match this 3610 with the request URI but is no where matching. actually there is very big query string content which is more number of bytes than 3096. Can you help me to understand how it will be calculated.


        Thanks in advance,
        Santosh. M