What is the best way to block ajax requests?

Question

I have a page running behind the F5, the application makes queries to a database through AJAX, however for a programming error they left part of the code open, and after the time we discovered that a user made queries from an application through the page through AJAX requests.&nbsp;
The error of the code was solved, blocking those queries.&nbsp;
The query is: what is the best way (with an IRULE LTM, ASM, etc.) to block all AJAX queries that come from a user?&nbsp;
Thank you very much.&nbsp;

nathe · Answer

What about an irule like this?
when HTTP_REQUEST { 
if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" } { 
drop 
   } 
 }

Or a custom ASM signature with the following rule?
headercontent:"XMLHttpRequest"; nocase;
To be honest, a bit of a punt this. Other DCers may come back and highlight major errors with these approaches 🙂

Forum Discussion

What is the best way to block ajax requests?

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

Block requests by reverse DNS record

Service Extensions with SSL Orchestrator: Advanced Blocking Pages

Block Referral Requests

HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)

Beware, your logs - how blocked log4shell, Spring4Shell etc requests can still lead to compromise

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS