21

Hi I have a client that is trying to POST to us with the following http headers:

content-type: application/x-www-form-urlencoded
content-encoding: UTF-8

But our web application firewall keeps picking them up and throwing error:

Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "45"] [id "340362"] [msg "Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it must be blocked."] [severity "WARNING"] Access denied with code 501 (phase 2). Match of "rx ^Identity$" against "REQUEST_HEADERS:Content-Encoding" required. Action: Intercepted (phase 2)

Anyone would like to shed some light into this matter?

Jae Lee
  • 445
  • 1
  • 4
  • 16

1 Answers1

42

It is invalid. The content-encoding specifies the data transfer encoding used by the issuer of the content. UTF-8 is not a content encoding, it is a character set. Specifying the character set is done in the content-type header:

content-type: text/plain; charset=utf-8

Valid content-encoding values are, for instance, gzip, deflate. An HTTP client should specify what content encoding it supports with the accept-encoding header; the HTTP server will reply with a content-encoding header.

fge
  • 119,121
  • 33
  • 254
  • 329
  • 5
    could you provide a reference to where you obtained your content-encoding values? i've only found these to be valid: identity, gzip, and deflate. – Jae Lee Jun 17 '13 at 19:21
  • 1
    also, should content-encoding, not be passed at all? what would happen in that case? – Jae Lee Jun 17 '13 at 19:21
  • 1
    @fge those are valid `Content-Transfer-Encoding` values for MIME email, which is not *quite* the same thing. – hobbs Jun 17 '13 at 19:25
  • @JaeLee if you don't pass a Content-Encoding, the data is not compressed at all – fge Jun 17 '13 at 19:33
  • 1
    @JaeLee https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding – Jairo Martínez Apr 29 '20 at 18:53