Headers
One part of the request that we shouldn't be overlooking is the request headers sent by the client. Like the cookie check, rules to check the request headers can be placed before the individual checks for each action since the request headers will be similar no matter what type of request is sent.
Using our HTTP debugging proxy, we can look at the typical headers sent by the web browser when requesting pages from the forum. The following screenshot shows what headers we can expect to see:
Using a simple regular expression we can make sure that only headers that we have approved are allowed in requests:
SecRule REQUEST_HEADERS_NAMES "!^(Accept|Referer|Accept-Language|Content-Type|Content-Length|Cookie|User-Agent|Accept-Encoding|Host|Connection|Pragma|If-Modified-Since|If-None-Match)$" "deny"
If any header other than one defined in the list above is sent by a client then the request is denied. As before, the next step is to check each header to make sure it only contains characters...
