Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is lack of User-Agent in HTTP request valid?

Tags:

We've noticed that from time to time we will get a HTTP request without a valid User-Agent string. Is there any valid real-world case for accepting this type of HTTP request?

Why wouldn't we auto block all IP's from which this type of request is received?

UPDATE My intention with the phrase "real-world" was to indicate that I am not asking what the HTTP protocol permits. It is permitted to submit HTTP requests without some headers. I am asking what "real-world" case you would have for allowing this type of HTTP request into your server.

like image 761
Jay Avatar asked Jun 17 '14 23:06

Jay


People also ask

What is the use of user agent in HTTP request?

The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.

Why do we need user agent?

A user agent is any software that retrieves and presents Web content for end users or is implemented using Web technologies. User agents include Web browsers, media players, and plug-ins that help in retrieving, rendering and interacting with Web content.

Is user agent header required?

All API-connecting software must include the HTTP User-Agent header to identify itself in the requests that it sends. To be more specific, interface.

How reliable is user agent?

Yes its reliable for non hacker user. The user agent string is a text that the browsers themselves send to the webserver to identify themselves, so that websites can send different content based on the browser or based on browser compatibility.

Should the user agent be specified in a Bad Request Response?

If it were intentional that user agent must be specified I would expect a 400 Bad Request response with a meaningful message.

What is user-agent in http?

Last Updated : 11 Oct, 2019 The HTTP headers User-Agent is a request header that allows a characteristic string that allows network protocol peers to identify the Operating System and Browser of the web-server. Your browser sends the user agent to every website you connect to.

Can a user agent send a user-agent field in a rest request?

Whether or not it's REST, it's still HTTP, and subject to the HTTP specification. A user agent SHOULD send a User-Agent field in each request unless specifically configured not to do so.

Is it a defect for REST API to enforce a user agent?

It's not a defect if they intentionally want to enforce clients specify a user agent. I think it was a good idea to report it because it is a bit unusual for a REST API to enforce a user agent because REST API are consumed by programmatic clients that typically don't set a user agent by default.


1 Answers

As stated in RFC 7231 (but nearly the same paragraph can be found in RFC2616):

5.5.3 User-Agent

The "User-Agent" header field contains information about the user agent originating the request, which is often used by servers to help identify the scope of reported interoperability problems, to work around or tailor responses to avoid particular user agent limitations, and for analytics regarding browser or operating system use. A user agent SHOULD send a User-Agent field in each request unless specifically configured not to do so.

The keyword here is SHOULD. And yes, there's an RFC that defines what that word is supposed to mean, RFC 2119:

  1. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

So, although the agents that do not send User-Agent do not follow what can be considered best practice, they do not violate any rule (rfc). So, in my opinion, there's not really a valid technical reason to block them.

like image 183
fvu Avatar answered Sep 22 '22 13:09

fvu