Forum Discussion
User Agent: Linux and Request Method: HEAD
HEAD /URI-TESTING HTTP/1.1 Host: applicationtesting.abc.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Language: en-us,en;q=0.5 Connection: close X-Forwarded-For: IP Address
7 Replies
- nathe
Cirrocumulus
Sorry, not clear what the issue of question is here
- MSZ
Nimbostratus
HEAD /URI-TESTING HTTP/1.1
Host: applicationtesting.abc.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5 Connection: close
X-Forwarded-For: IP Address
========
We are observing the HEAD request when we see the user agent X11, Linux HEAD is considered the not allowed method.
But why it is coming with Linux as per user agent.
- nathe
Cirrocumulus
Is it similar to this:
https://serverfault.com/questions/653715/head-requests-from-linux-ubuntu-boxes
- MSZ
Nimbostratus
Thanks.
But what is your expertise? Should we convey it to application team for implementation or change the HEAD request to some GET request if traffic is legitimate.
- Leonardo_Souza3
Nimbostratus
You tagged the question as ASM, so I am assuming you have ASM.
ASM allows HEAD by default, if you allow in your server or not is the main question.
HEAD is considered a safe method:
https://en.wikipedia.org/wiki/Hypertext_Transfer_ProtocolRequest_methods
"Safe methods
Some of the methods (for example, HEAD, GET, OPTIONS and TRACE) are, by convention, defined as safe, which means they are intended only for information retrieval and should not change the state of the server. In other words, they should not have side effects, beyond relatively harmless effects such as logging, caching, the serving of banner advertisements or incrementing a web counter. Making arbitrary GET requests without regard to the context of the application's state should therefore be considered safe. However, this is not mandated by the standard, and it is explicitly acknowledged that it cannot be guaranteed."
From a security point of view, I don't see why not allow HEAD method.
- MSZ
Nimbostratus
Let me complete the question now: User Agent: Linux and Request Method: HEAD is generating the "illegal http status in response" 501 code is generating.
By the HEAD method is already allowed ACT as a GET method under Headers -- HTTP METHODS.
Hope it clarifies the situation now.
- Giel
Nimbostratus
Illegal HTTP status in response means the server sent a HTTP status code (in this case, 501) not allowed by your ASM policy. If this is a valid response in your application, you can add this code to the allowed response status code list under Security -> Application Security -> [your policy name] -> Advanced -> Allowed Response Status Codes.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com