Bug ID 423797: Add Client-Side challenge excluded URLs and headers internal parameters

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.2.0, 11.2.1, 11.3.0, 11.4.0

Fixed In:
11.5.0, 11.4.0 HF3, 11.3.0 HF8, 11.2.1 HF8

Opened: Jun 23, 2013
Severity: 3-Major
Related AskF5 Article:
K93749159

Symptoms

CS Challenge from Web Scraping is impacting the customer's website causing the browser to display a blank page.

Impact

CS Challenge from Web Scraping is impacting the customer's website causing the browser to display a blank page.

Conditions

Configure ASM policy with client side challenge for brute force and the different web scraping features.

Workaround

This issue has no workaround at this time.

Fix Information

We added the following internal parameters that you can add to headers and URLs in order to avoid requests receiving a client side challenge: cs_excluded_headers - Contains one or more headers, separated by a comma [,]. When one of these headers is presented in the transaction, the client side challenge is not injected in the transaction. (The URL qualification will still work in this case, as it is expected that the same URL may appear with or without these headers). The default value is an empty string. cs_excluded_urls - Contains one or more explicit URLs, separated by a comma [,]. These URLs will never be qualified for a client-side challenge. The default value is an empty string.

Behavior Change