Blank UA String

**Jonathan N. Little** · Oct 12 '08, 12:25 AM

Re: Blank UA String

David E. Ross wrote:

I'm getting occasional visits to my Web site from applications with
blank UA strings. I would like to block such accesses because they
violate various RFCs and might represent attempted hostile actions.
>
Since I don't own the Web server (it's owned by my ISP) and I don't want
to have any JavaScript, I would prefer using either an .htaccess setting
or a SSI script. Is this possible? The Web server is Apache (version
currently unknown) for which I have done some simple .htaccess settings.
I know how to create SSI scripts in UNIX.
>
What I really would like to do is send an error page when the UA string
is blank. The page would tell the user why the requested page cannot be
seen. If I can't send an error page, then I would send an appropriate
HTTP status code.
>

Although you can do this if you wish within an .htaccess file *if* your
hosting company allow such, but I would advise against it because some
personal security software (i.e., antivirus firewall protection suites)
can block such info. Scripts that rely on HTTP_REFERER broke miserably
when Norton Internet Security started blocking it, is one example...

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO

Little Works Studio Site Maintainance

http://www.LittleWorksStudio.com

**Eric B. Bednarz** · Oct 12 '08, 01:05 AM

Re: Blank UA String

"David E. Ross" <nobody@nowhere .notwrites:

I'm getting occasional visits to my Web site from applications with
blank UA strings. I would like to block such accesses because they
violate various RFCs and might represent attempted hostile actions.

Your Web site is about to represent attempted hostile actions too. Just
to be safe, Iâ€™ve updated my hosts file (thanks for your signature, HTH).

--
||| hexadecimal EBB
o-o decimal 3771
--oOo--( )--oOo-- octal 7273
205 goodbye binary 111010111011

**Darin McGrew** · Oct 13 '08, 11:15 PM

Re: Blank UA String

David E. Ross <nobody@nowhere .notwrote:

I'm getting occasional visits to my Web site from applications with
blank UA strings. I would like to block such accesses because they
violate various RFCs and might represent attempted hostile actions.

FWIW, HTTP 1.1 (RFC 2616) says "User agents SHOULD include this field with
requests", not "User agents MUST include this field with requests".

As a practical matter, not everyone behind a firewall that strips the
User-Agent header will be able to reconfigure the firewall. And others will
not be willing to reconfigure the firewall.

And do you really care whether you get blank/non-existent User-Agent
strings, or bogus User-Agent strings like

Mozilla/4.0 (compatible; not MSIE 6.0; HAL 9000)

? Sites blocking access based on User-Agent strings are the reason why
almost every browser misrepresents itself in its User-Agent string.
--
Darin McGrew, darin@TheRallye Club.org, http://www.TheRallyeClub.org/
A gimmick car rallye is not a race, but a fun puzzle testing your
ability to follow instructions. Upcoming gimmick car rallye in
Silicon Valley: Talladega Nights (Saturday, August 4)

**Harlan Messinger** · Oct 13 '08, 11:55 PM

Re: Blank UA String

Jonathan N. Little wrote:

David E. Ross wrote:

>I'm getting occasional visits to my Web site from applications with
>blank UA strings. I would like to block such accesses because they
>violate various RFCs and might represent attempted hostile actions.
>>
>Since I don't own the Web server (it's owned by my ISP) and I don't want
>to have any JavaScript, I would prefer using either an .htaccess setting
>or a SSI script. Is this possible? The Web server is Apache (version
>currently unknown) for which I have done some simple .htaccess settings.
> I know how to create SSI scripts in UNIX.
>>
>What I really would like to do is send an error page when the UA string
>is blank. The page would tell the user why the requested page cannot be
>seen. If I can't send an error page, then I would send an appropriate
>HTTP status code.
>>

>
Although you can do this if you wish within an .htaccess file *if* your
hosting company allow such, but I would advise against it because some
personal security software (i.e., antivirus firewall protection suites)
can block such info. Scripts that rely on HTTP_REFERER broke miserably
when Norton Internet Security started blocking it, is one example...
>

<rant>Norton Internet Security is insane. I've had problems caused by
the software blocking access to a page that had a parameter called "ad"
in the query string (it was short for "administrator" ) and by having the
images used in the banner of one site's pages reside in a directory
called, shockingly, "banners".</rant>

**Jonathan N. Little** · Oct 14 '08, 01:45 AM

Re: Blank UA String

Harlan Messinger wrote:

<rant>Norton Internet Security is insane. I've had problems caused by
the software blocking access to a page that had a parameter called "ad"
in the query string (it was short for "administrator" ) and by having the
images used in the banner of one site's pages reside in a directory
called, shockingly, "banners".</rant>

No argument here. I loved the little "onload" handler it would inject to
"protect" folks for bad websites...true it would, but would also disable
any benign initialization for JavaScript functions on a page...

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO

Little Works Studio Site Maintainance

http://www.LittleWorksStudio.com

Blank UA String

Blank UA String

Comment

Comment

Comment

Comment

Comment