Leading tab in header name: Authorization
I have a violation / suggestion a detection of Leading tab in header named: "Authorization" When I look at the request, I don't see the "TAB" in the header name. I expect to see something like this: " Authorization" But, what I see is header named "Authorization" I'm wondering whether the meaning here is header context or is there something else I'm missing. Here is the request and F5 log: BIG-IP Application Security Manager Security Events Report Exported on: 2024-08-11 16:40:22 | Exported by: Hostname: F5-AWAF | IP Address: Support ID: 5162895 Request Details Requested URL [HTTPS] /ag/logout Time 2024-08-11 15:46:57 Enforcement Action Block Enforced By Application Security Policy Violation Rating 1 Request is most likely a false positive Attack Types Detection Evasion Geolocation Source IP Address 9.5.8.6.:53483 Device ID N/A Username N/A Session ID ad8a5466e66666b6 Source IP Intelligence N/A Security Policy /Common/SWAF Virtual Server /Common/s Request Status Blocked Blocking Exception Reason N/A Accept Status Not Accepted Host s.co Destination IP Address 16.16.16.6:443 Response Status Code N/A Protocol Info HTTP/1.1 Severity Error Signatures CVEs N/A Detected Violations Attack signature detected [1] Request Request actual size: 1337 bytes. GET /Ag/logout HTTP/1.1 Host: s.co. Connection: keep-alive Cache-Control: no-cache, no-store, must-revalidate sec-ch-ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127" Pragma: no-cache sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 Authorization: ************************************************************************************************************************************************************************************************ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept: application/json, text/plain, */* If-Modified-Since: 0 Expires: 0 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://s.co/Ag/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en,en-US;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: _ga=GA1.1.6666663693.6666667143; SL_C_23361dd035530_SID={"666666":{"sessionId":"6666-T6666666","visitorId":"666666HGfeRq"}}; _ga_QX6666666=GS1.1.6666661357.0.0; TS014666666 X-Forwarded-For: 6.6.6.6 Response No response details are available because request was blocked Violation Details Attack signature detected [1] Detected Keyword **** (sensitive data masked) Attack Signature ID 200018064 Name Leading tab in header name Context Header Header Name Authorization Header Value ***** Applied Blocking Settings Block Alarm Learn Violation Description Description The system examines the HTTP message for known attacks by matching it against known attack patterns. Severity Error
Big-IP header authorization size is limited ??
Folks, I have an iRule that pulls access session variables, base64encode and inserts into header as authorization. It was working fine until we start to receive too many values in the access session variable. I can see all the values in the session variable under event logs but the authorization is sending only 880 bytes of base64encoded token to backend servers (Cutting half of the token). My http header size in the profile is set to default and current header size not even near to that value(32768Bytes). FYI- the incoming session variables are SAML attributes and i'm setting variables(set x [Access::session data get "somesamlvariable"] ) to store these saml attributes and sending them in the header as auth header. Any help is appreciated!
