Bug ID 781069: Bot Defense challenge blocks requests with long Referer headers

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2, 15.0.0, 15.0.1

Fixed In:
15.1.0,,, 13.1.3

Opened: May 09, 2019
Severity: 3-Major


The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long. This client may get blocked by TCP RST, or suffer from a challenge loop.


Legitimate browsers may get blocked or suffer from a challenge loop


-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured -- Request has a Referer header that is between ~1400 and 3072 characters long


Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix Information

Challenges with long Referer headers no longer block legitimate clients.

Behavior Change