Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Marcel_Derksen_'s avatar
Marcel_Derksen_
Icon for Nimbostratus rankNimbostratus
21 years ago

Validate Application Requests

Hi,   I want the F5 to validate the application request so it can function as a full L7 proxy. Is there a way to solve this using iRules or is this something that is standard behaviour? So if a l...
application delivery
dev
devops
irules
unRuleY_95363's avatar
unRuleY_95363
Historic F5 Account
21 years ago
Hi Marcel,

The BigIP doesn't necessarily validate HTTP requests. We do validate that the request is compliant with RFC2616. Ie, the first line of a request has three fields, the method, a uri, and a version. We do not validate what the methods are or what the version is.

If you would like to do that kind of thing, then the following rule example should help: 

    
 class valid_methods { 
    "GET" 
    "POST" 
    "HEAD" 
 } 
 rule validate_http { 
    when HTTP_REQUEST { 
       if { [HTTP::version] eq "Unknown" } { 
          log "Invalid HTTP version - connection from: [IP::remote_addr]:[TCP::remote_port] rejected" 
          reject 
       } elseif { not [matchclass [HTTP::method] equals $::valid_methods] } { 
          log "Invalid HTTP method [HTTP::method] - connection from: [IP::remote_addr]:[TCP::remote_port] rejected" 
          reject 
       } 
    } 
 }

You can update the valid_methods class to include any methods your site might need.