Rejecting traffic where ACCEPT header is empty on favicon.ico requests

blockingfaviconhoneypothttp-headerstraffic-filtering

As part of filtering out potential harmful traffic, I currently reject traffic where $_SERVER["HTTP_ACCEPT"] is empty.

I notice from my logs that a fair number of requests have been rejected due to the accept header being empty and some of them come from valid IP traffic when requesting favicon.ico.

I currently block these favicon.ico requests with a "403 Forbidden" (I know I should probably use 406 Not Acceptable).

I do have a favicon.ico on my site. I am aware that favicon.ico "not found" errors are not seen by the user. Is it the same for me blocking these pages or will they see the 403 Forbidden page?

I would like to test this myself, but I do not know how to generate a page request with empty headers. Perhaps if someone has a way to do this as well, it will help.

Thanks for your input.

Best Answer

Is it the same for me blocking these pages or will they see the 403 Forbidden page?

Blocked images, including favicon, does not result in a 403 page being displayed. The image will simply not be displayed in the same fashion as if it was not found.

Related Solutions

Apache VirtualHost Blockhole (Eats All Requests on All Ports on an IP)

Interesting solution .. I like it! You should use an address other than localhost, however.

Bind another IP onto the NIC (or use a second NIC) on the box, and setup Apache to listen on that address, for whatever ports you want. Wildcard (*) should work. Then, the only traffic to that address is directed by the HOSTS file "spoof", and that traffic won't interfere with other (legit) services that may access localhost.

Also, you may choose to do this with DNS rather than with the HOSTS file. This is IMHO a better long term solution. Finally, the easiest solution is most likely to block traffic at your firewall to these domains.

UPDATE - based on comments. I suggest that you use TWO different IP addresses, one for HTTP and one for HTTPS. Have each one listen on all ports and direct traffic to the appropriate port. Then, when you add the domain for blocking to the HOSTS file, set it to the SSL/vanilla IP based on the the type of request that triggered the adding of the entry.

Nginx conditional Accept header

Try this

set $acceptHeader $http_accept;
if ($acceptHeader !~ ".") {
  set $acceptHeader '/';
}
proxy_set_header Accept $acceptHeader;

Best Answer

Related Solutions

Apache VirtualHost Blockhole (Eats All Requests on All Ports on an IP)

Nginx conditional Accept header

Related Topic