I am using a PHP script to generate the HAR object based on request parameters. This allows me to pass a source URL to APIEmbed, and generate different outputs based on what the user requires.
What i have noticed since pushing this script into production is that the APIEmbed function doesn't work when attempting to run the PHP script hosted on apache running mod-security.
The key violation is that there is no User Agent specified in the request.
[Thu Nov 05 10:04:49.863381 2015] [:error] [pid xxxxx] [client xxxxxx]
ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "66"] [id "960009"] [rev "1"]
[msg "Request Missing a User Agent Header"]
[severity "NOTICE"]
[ver OWASP_CRS/2.2.6"]
[maturity "9"]
[accuracy "9"]
[tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"]
[tag "WASCTC/WASC-21"]
[tag "OWASP_TOP_10/A7"]
[tag "PCI/6.5.10"]
[hostname "xxxxxxxxx"]
[uri "xxxxxxxxxxx/generateSampleCode.php"]
[unique_id "xxxxxxxxxx"]
This means that I need to modify my security to allow this through. The better function would be for the APIEmbed solution to specify a User-Agent when requesting the JSON source.
I am using a PHP script to generate the HAR object based on request parameters. This allows me to pass a source URL to APIEmbed, and generate different outputs based on what the user requires.
What i have noticed since pushing this script into production is that the APIEmbed function doesn't work when attempting to run the PHP script hosted on apache running mod-security.
The key violation is that there is no User Agent specified in the request.
This means that I need to modify my security to allow this through. The better function would be for the APIEmbed solution to specify a User-Agent when requesting the JSON source.