Menu
We've noticed that from time to time we will get a HTTP request without a valid User-Agent string. Is there any valid real-world case for accepting this type of HTTP request?
Why wouldn't we auto block all IP's from which this type of request is received?
UPDATE My intention with the phrase "real-world" was to indicate that I am not asking what the HTTP protocol permits. It is permitted to submit HTTP requests without some headers. I am asking what "real-world" case you would have for allowing this type of HTTP request into your server.
761
The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.
A user agent is any software that retrieves and presents Web content for end users or is implemented using Web technologies. User agents include Web browsers, media players, and plug-ins that help in retrieving, rendering and interacting with Web content.
All API-connecting software must include the HTTP User-Agent header to identify itself in the requests that it sends. To be more specific, interface.
Yes its reliable for non hacker user. The user agent string is a text that the browsers themselves send to the webserver to identify themselves, so that websites can send different content based on the browser or based on browser compatibility.
If it were intentional that user agent must be specified I would expect a 400 Bad Request response with a meaningful message.
Last Updated : 11 Oct, 2019 The HTTP headers User-Agent is a request header that allows a characteristic string that allows network protocol peers to identify the Operating System and Browser of the web-server. Your browser sends the user agent to every website you connect to.
Whether or not it's REST, it's still HTTP, and subject to the HTTP specification. A user agent SHOULD send a User-Agent field in each request unless specifically configured not to do so.
It's not a defect if they intentionally want to enforce clients specify a user agent. I think it was a good idea to report it because it is a bit unusual for a REST API to enforce a user agent because REST API are consumed by programmatic clients that typically don't set a user agent by default.
As stated in RFC 7231 (but nearly the same paragraph can be found in RFC2616):
5.5.3 User-Agent
The "User-Agent" header field contains information about the user agent originating the request, which is often used by servers to help identify the scope of reported interoperability problems, to work around or tailor responses to avoid particular user agent limitations, and for analytics regarding browser or operating system use. A user agent SHOULD send a User-Agent field in each request unless specifically configured not to do so.
The keyword here is SHOULD. And yes, there's an RFC that defines what that word is supposed to mean, RFC 2119:
- SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
So, although the agents that do not send User-Agent do not follow what can be considered best practice, they do not violate any rule (rfc). So, in my opinion, there's not really a valid technical reason to block them.
183
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
