NimbostratusHEAD /URI-TESTING HTTP/1.1 Host: applicationtesting.abc.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Language: en-us,en;q=0.5 Connection: close X-Forwarded-For: IP Address
CirrocumulusSorry, not clear what the issue of question is here
NimbostratusHEAD /URI-TESTING HTTP/1.1
Host: applicationtesting.abc.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5 Connection: close
X-Forwarded-For: IP Address
========
We are observing the HEAD request when we see the user agent X11, Linux HEAD is considered the not allowed method.
But why it is coming with Linux as per user agent.
CirrocumulusIs it similar to this:
https://serverfault.com/questions/653715/head-requests-from-linux-ubuntu-boxes
NimbostratusThanks.
But what is your expertise? Should we convey it to application team for implementation or change the HEAD request to some GET request if traffic is legitimate.
NimbostratusYou tagged the question as ASM, so I am assuming you have ASM.
ASM allows HEAD by default, if you allow in your server or not is the main question.
HEAD is considered a safe method:
https://en.wikipedia.org/wiki/Hypertext_Transfer_ProtocolRequest_methods
"Safe methods
Some of the methods (for example, HEAD, GET, OPTIONS and TRACE) are, by convention, defined as safe, which means they are intended only for information retrieval and should not change the state of the server. In other words, they should not have side effects, beyond relatively harmless effects such as logging, caching, the serving of banner advertisements or incrementing a web counter. Making arbitrary GET requests without regard to the context of the application's state should therefore be considered safe. However, this is not mandated by the standard, and it is explicitly acknowledged that it cannot be guaranteed."
From a security point of view, I don't see why not allow HEAD method.
NimbostratusLet me complete the question now: User Agent: Linux and Request Method: HEAD is generating the "illegal http status in response" 501 code is generating.
By the HEAD method is already allowed ACT as a GET method under Headers -- HTTP METHODS.
Hope it clarifies the situation now.
NimbostratusIllegal HTTP status in response means the server sent a HTTP status code (in this case, 501) not allowed by your ASM policy. If this is a valid response in your application, you can add this code to the allowed response status code list under Security -> Application Security -> [your policy name] -> Advanced -> Allowed Response Status Codes.