How do I use AWS WAF to block HTTP requests that don't contain a User-Agent header?

Last updated: 2019-12-06

I want to block HTTP requests that don't have a User-Agent header or have an empty User-Agent header value in the request. How do I use AWS WAF to block these requests?

Short Description

By default, AWS WAF filters don't check the HTTP request parameter. However, you can create a rule with one of the following conditions to check HTTP requests:

Resolution

Method #1: Create a rule with a Regex matching condition

First, create the Regex matching condition:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose String and Regex matching.
  3. Choose Create condition.
  4. For Name, enter UA-condition.
  5. For Region, choose the Region where you created your web access control list (web ACL).
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  6. For Type, choose Regex match.
  7. For Part of the request to filter on, choose Header.
  8. For Header, choose User-Agent.
  9. For Transformation, choose None.
  10. For Regex patterns to match to request, keep the default selection of Create regex pattern set.
  11. For New pattern set name, enter testpattern.
  12. Enter a regular expression .+ and choose the plus (+) symbol.
    Note: The regular expression (regex) matches any character except a line terminator.
  13. Choose Create pattern set and add filter.
  14. Choose Create.

Then, create a rule and add the condition to it:

  1. In the navigation pane, choose Rules.
  2. Choose Create rule.
  3. For Name, enter UA-Rule.
    Note: The Amazon CloudWatch metric name automatically populates based on your entry in the Name field.
  4. For Rule type, choose Regular rule.
  5. For Region, choose the Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for CloudFront.
  6. For Add conditions, choose does not and match at least one of the filters in the string match condition.
  7. Choose UA-condition from the condition drop-down menu.
  8. Choose Create.

Finally, add this rule to your web ACL:

  1. In the navigation pane, choose Web ACLs.
  2. Choose the name of your web ACL.
  3. Select the Rules tab and choose Edit web ACL.
  4. For Rules, choose UA-Rule.
  5. Choose Add rule to web ACL.
  6. Confirm that Block is selected for Action.
  7. For Default action, choose Allow all requests that don't match any rules.
  8. Choose Update.

Method #2: Create a rule with a Size constraint condition

Note: By default, the number of pattern sets per account is 5. If you've exceeded this AWS WAF limit, you can use the following size constraint solution.

First, create the Size constraint condition:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose Size constraints.
  3. Choose Create condition.
  4. For Name, enter UA-condition2.
  5. For Region, choose the Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for CloudFront.
  6. For Part of the request to filter on, choose Header.
  7. For Header, enter User-Agent.
  8. For Comparison operator, choose Greater than or equal.
  9. For Size (Bytes), keep the default value of 0.
  10. For Transformation, choose None.
  11. Choose Add filter.
  12. Choose Create.

Then, create a rule and add the condition to it:

  1. In the navigation pane, choose Rules.
  2. Choose Create rule.
  3. For Name, enter UA-Rule2.
    Note: The CloudWatch metric name automatically populates based on your entry in the Name field.
  4. For Rule type, choose Regular rule.
  5. For Region, choose the Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for CloudFront.
  6. For Add conditions, choose does not and match at least one of the filters in the size constraint condition.
  7. Choose UA-condition2 from the condition drop-down menu.
  8. Choose Create.

Finally, add this rule to your web ACL:

  1. In the navigation pane, choose Web ACLs.
  2. Choose the name of your web ACL.
  3. Select the Rules tab and choose Edit web ACL.
  4. For Rules, choose UA-Rule.
  5. Choose Add rule to web ACL.
  6. Confirm that Block is selected for Action.
  7. For Default action, choose Allow all requests that don't match any rules.
  8. Choose Update.

Did this article help you?

Anything we could improve?


Need more help?