Customer had a problem accessing my website. Turns out it is the "Remove Private Header" setting in ZA.
It is clashing with some of the protocol rule-sets in the mod-security addon to apache.
The ZA setting seems to change the line starting User-Agent: Mozilla..etc. to capital X characters. Unfortunately it does this for the whole line - including the token!
So the line becomes XXXXXXXXXX: XXXXXXX etc.
Why overwrite the TOKEN? Overwrite the data by all means, so Mozilla etc becomes XXXXXX etc. but leave the User-Agent: intact.
Mod-security is reporting that the incoming request packet contains no User-Agent data, which is a protocol error, and suspects an attack.
Does anyone in ZA know why they chose to overwrite the token as well as the data?
Wouldn't "User-Agent: XXXXXXXXXXXXXXXXXXXX" be acceptable from both a security and an operational viewpoint?
Incidentally, the "remove private header" setting also seems to knock out the Accept-Encoding: line as well, at least in my tests the header line:
Accept-Encoding: gzip,deflate became XXXXXXXXXXXXXXX: XXXXXXXXXXXX.
I would have thought knocking out this header was going to cause problems. Doesn't the server need to know the encodings the browser will accept??
I think the apache mod-security module is in fairly common use, so I'm amazed other people are not reporting issues. I got all the XXXX stuff from the mod-security debug trace.
Operating System:Windows XP Home Edition
Product Name:ZoneAlarm Internet Security Suite