Closed
Description
Description
The Sec-CH-UA and Sec-CH-UA-Mobile are simply excluded from rule 920274 and not validated.
Sec-CH-UA-Mobile is a Structured Header boolean and can be validated by rule 920275.
Sec-CH-UA is most likely collateral damage from excluding Sec-CH-UA-Mobile, and Sec-CH-UA does not need to get excluded from rule 920274 at all.
For example:
curl --header 'Sec-CH-UA-Mobile: foo' https://$YOUR_SITE/
fails to trigger a rule on paranoia level 4.
Your Environment
- CRS version (e.g., v3.2.0): v3.4/dev at e2839fe
- Paranoia level setting: 4
- ModSecurity version (e.g., 2.9.3): 3.1.0
- Web Server and version (e.g., apache 2.4.41): apache 2.4.38
- Operating System and version: Debian Buster
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.