Mod_security blocks as no User Agent is specified in the request

[jordanwalsh23]

I am using a PHP script to generate the HAR object based on request parameters. This allows me to pass a source URL to APIEmbed, and generate different outputs based on what the user requires.

What i have noticed since pushing this script into production is that the APIEmbed function doesn't work when attempting to run the PHP script hosted on apache running mod-security.

The key violation is that there is no User Agent specified in the request.

[Thu Nov 05 10:04:49.863381 2015] [:error] [pid xxxxx] [client xxxxxx] 
ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file 
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] 
[line "66"] [id "960009"] [rev "1"] 
[msg "Request Missing a User Agent Header"] 
[severity "NOTICE"] 
[ver OWASP_CRS/2.2.6"] 
[maturity "9"] 
[accuracy "9"] 
[tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] 
[tag "WASCTC/WASC-21"] 
[tag "OWASP_TOP_10/A7"] 
[tag "PCI/6.5.10"] 
[hostname "xxxxxxxxx"]
[uri "xxxxxxxxxxx/generateSampleCode.php"] 
[unique_id "xxxxxxxxxx"]

This means that I need to modify my security to allow this through. The better function would be for the APIEmbed solution to specify a User-Agent when requesting the JSON source.

[ahmadnassri]

will address this, and allow requests without User Agent.

[jordanwalsh23]

Hi @ahmadnassri . I'm just wondering if there's been any development in this space.

This is something that I am currently working around, but I'd prefer to implement a more long term solution.

Thanks

Jordan

[ahmadnassri]

@jordanwalsh23 a bit of a slow progress, but yes, we're still actively looking at this and other issues, more updates soon.