For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AskingQuestion_

Icon for Nimbostratus rank

Nimbostratus

Nov 09, 2015

What is the reason HTTP Status 500 defined as an illegal http status in response in ASM?

We have an application generating status 500 code, which was defined as illegal http status in response by ASM. By reading some information, it seems that ASM defines 4xx - 5xx all as illegal by def...

ASM Advanced WAF

Michael_Koyfma1

Icon for Cirrus rank

Cirrus

Nov 09, 2015

It allows for information leakage. For example, many java stacks will disclose where exactly the error happened when 500 is generated, etc. ASM's goal is to prevent as much information disclosure about the backend as possible. Additionally, exposing that a particular request generates a 500 error may give an attacker an idea about certain attack vector as well.

AskingQuestion_

Icon for Nimbostratus rank

Nimbostratus

Nov 09, 2015

Thank you for the prompt answer. Does this make 500 a vulnerability in any means? What is the risk level (low, medium, high, critical)? Thanks.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

F5 Academy at AppWorld 2026

DevCentral News

Introducing the F5 AI Assistant for BIG-IP

Technical Articles

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5