What’s up with mod_security and User-Agent? (406 Not Acceptable)

So… what’s the deal with mod_security and User-Agent? I tried to browse to HandheldRadio.net using Lynx, and was greeted with this 406 error:

                            Not Acceptable

   An appropriate representation of the requested resource / could not be
   found on this server.

   Additionally, a 406 Not Acceptable error was encountered while trying
   to use an ErrorDocument to handle the request.

A few searches and I discovered this was due to Apache mod_security.

I don’t get it. Why would you exclude based on User-Agent? That’s something that can be changed at will by any program that decides to be nefarious. This seems like security theatre rather than real security.

Even in the best case, this kind of “security” just turns into a red queen’s race to the bottom where everything will now lie about what it is because someone screwed up a config file somewhere.

And so I’ve started lying (in my .bashrc):

alias lynx='lynx -useragent="Mozilla/5.0 (X11; Ubuntu Lynx; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"'

Damn, that’s stupid.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: