Why does mod_security require an ACCEPT HTTP header field?
Posted
by
ripper234
on Server Fault
See other posts from Server Fault
or by ripper234
Published on 2012-04-08T11:53:46Z
Indexed on
2012/04/08
17:34 UTC
Read the original article
Hit count: 310
After some debugging, I found that the core ruleset of mod_security blocks requests that don't have the (optional!) ACCEPT header field.
This is what I find in the logs:
ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "example.com"] [uri "/"] [unique_id "T4F5@H8AAQEAAFU6aPEAAAAL"]
ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "example.com"] [uri "/"] [unique_id "T4F5@H8AAQEAAFU6aPEAAAAL"]
Why is this header required? I understand that "most" clients send these, but why is their absence considered a security threat?
© Server Fault or respective owner