Rule Discussion "Strict Header Check"

The strict header checks, that only predefined request headers are present in a given request. The strict header check is meant to be specific for every path.

An example looks as follows:

  
  SecRule REQUEST_HEADERS_NAMES "!^(Host|User-Agent|Referer|Accept|Accept-Language|Accept-Encoding|Accept-Charset|Keep-Alive|Connection|Content-Type|Content-Length|Cookie|Pragma|Cache-Control)$" "t:none,deny,id:6,status:501,severity:3,msg:'Strict headercheck: At least one request header is not predefined for this path.'"

We check wether one of the items in the collection REQUEST_HEADERS_NAMES is not contained in our list of predefined headers. If this is the case, we deny access.

Otherwise, checking goes on ...