User Agent: Linux and Request Method: HEAD

Question

HEAD /URI-TESTING HTTP/1.1
Host: applicationtesting.abc.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
X-Forwarded-For: IP Address&nbsp;

nathe · Answer

Sorry, not clear what the issue of question is here&nbsp;

msz · Answer

HEAD /URI-TESTING HTTP/1.1 &nbsp;
Host: applicationtesting.abc.com &nbsp;
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome) &nbsp;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 &nbsp;
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 &nbsp;
Accept-Language: en-us,en;q=0.5 Connection: close &nbsp;
X-Forwarded-For: IP Address&nbsp;
========&nbsp;
We are observing the HEAD request when we see the user agent X11, Linux
HEAD is considered the not allowed method.&nbsp;
But why it is coming with Linux as per user agent.&nbsp;

nathe · Answer

Is it similar to this: &nbsp;
https://serverfault.com/questions/653715/head-requests-from-linux-ubuntu-boxes&nbsp;

msz · Answer

Thanks.&nbsp;
But what is your expertise? 
Should we convey it to application team for implementation or change the HEAD request to some GET request if traffic is legitimate.&nbsp;

leonardo_souza3 · Answer

You tagged the question as ASM, so I am assuming you have ASM.&nbsp;
ASM allows HEAD by default, if you allow in your server or not is the main question.&nbsp;
HEAD is considered a safe method:&nbsp;
https://en.wikipedia.org/wiki/Hypertext_Transfer_ProtocolRequest_methods&nbsp;
"Safe methods&nbsp;
Some of the methods (for example, HEAD, GET, OPTIONS and TRACE) are, by convention, defined as safe, which means they are intended only for information retrieval and should not change the state of the server. In other words, they should not have side effects, beyond relatively harmless effects such as logging, caching, the serving of banner advertisements or incrementing a web counter. Making arbitrary GET requests without regard to the context of the application's state should therefore be considered safe. However, this is not mandated by the standard, and it is explicitly acknowledged that it cannot be guaranteed."&nbsp;
From a security point of view, I don't see why not allow HEAD method.&nbsp;

Forum Discussion

User Agent: Linux and Request Method: HEAD

7 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

Scenarios where Service Policy should be used over iRule and Vice versa

Issue on connection limit

Request logging: some fields not recorded

ASM Sec-CH-UA-Full-Version-List backquote in Header

F5 Distributed Cloud Services Simulator Connect

Related Content

IngressNightmare, Next.js critical, More Agents, pwned

BIG-IP APM integration with Open Policy Agent (OPA)

AI Friday: Agentic AI, Helix VLAM, Google Gemini Robotics, Managing Agents

Agentic RAG - Securing GenAI with F5 Distributed Cloud Services

Money, Agents, Apologies, Switcheroos, Hype, and Hope

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS