Hello Robert,
We have certain signatures that are dedicated for the Headers field (likewise, we have some dedicated for URI and Parameters, while others are signatures generic to being detected anywhere in the payload). If you would like to disable certain signatures on a HTTP header, then you can disable them if we have them dedicated for headers only. For example, if we take this set, we have this signature dedicated separately to be detected anywhere within the Headers (that includes Referer), Parameters or URI:
Signature ID 200000133 - link tag (Headers), Signature ID 200000134 - link tag (Parameters), Signature ID 200000135 - link tag (URI)
In order to disable signature check on a certain HTTP header, you can disable Signature ID 200000133 from being triggered. If the attack vector for the link tag is found anywhere within the parameters or URI, then we will respectively detect it via the other two signatures and block the request. If its detected somewhere within any of the Headers field, we won't block it (since you will have disabled it).
If we don't have a specific signature not dedicated for Headers, Parameters or URI like in the above manner, then you will need to disable that signature globally for this policy, which would then disable the signature check everywhere within the payload.
Unfortunately, there isn't a way to disable only a specific signature check on the HTTP headers field. If you feel like this is something you'd like to have included/considered as a feature request, I'd recommend opening up a ticket with F5 Support and have this raised with us.
I hope this information was useful for you.
Nimbostratus
