Bug ID 638857: Challenging AJAX-qualified requests cover only GET and POST HTTP methods

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1

Opened: Jan 12, 2017

Severity: 4-Minor


When the Single Page Application flag enabled within DoS Application profile, and there is an AJAX request being sent using an HTTP method that is not a GET or POST (e.g., PATCH, PUT, DELETE), the Proactive Bot Defense does not display CAPTCHA pop-up.


CAPTCHA or challenge does not work.


-- ASM provisioned. -- DoS Application profile assigned to a virtual server. -- Proactive Bot Defense enabled. -- Single Page Application flag enabled within DoS Application profile. -- HTTP method is not GET or POST.


Disable Proactive Bot Defense, Single Page Application.

Fix Information

Single Page Application (SpearHead) AJAX hook has been updated to support non-GET/POST HTTP methods.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips