{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 劳资没心,怎么记你 的问题《Is content-encoding being set to UTF-8 invalid?》','https://www.manongdao.com/q-619177.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Hi I have a client that is trying to POST to us with the following http headers:
content-type: application/x-www-form-urlencoded
content-encoding: UTF-8
But our web application firewall keeps picking them up and throwing error:
Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "45"] [id "340362"] [msg "Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it must be blocked."] [severity "WARNING"] Access denied with code 501 (phase 2). Match of "rx ^Identity$" against "REQUEST_HEADERS:Content-Encoding" required. Action: Intercepted (phase 2)
Anyone would like to shed some light into this matter?
It is invalid. The
content-encodingspecifies the data transfer encoding used by the issuer of the content. UTF-8 is not a content encoding, it is a character set. Specifying the character set is done in thecontent-typeheader:Valid content-encoding values are, for instance,
gzip,deflate. An HTTP client should specify what content encoding it supports with theaccept-encodingheader; the HTTP server will reply with acontent-encodingheader.