What’s up with mod_security and User-Agent? (406 Not Acceptable)

May 1, 2018

So… what’s the deal with mod_security and User-Agent? I tried to browse to HandheldRadio.net using Lynx, and was greeted with this 406 error:

                            Not Acceptable

   An appropriate representation of the requested resource / could not be
   found on this server.

   Additionally, a 406 Not Acceptable error was encountered while trying
   to use an ErrorDocument to handle the request.

A few searches and I discovered this was due to Apache mod_security.

I don’t get it. Why would you exclude based on User-Agent? That’s something that can be changed at will by any program that decides to be nefarious. This seems like security theatre rather than real security.

Even in the best case, this kind of “security” just turns into a red queen’s race to the bottom where everything will now lie about what it is because someone screwed up a config file somewhere.

And so I’ve started lying (in my .bashrc):

alias lynx='lynx -useragent="Mozilla/5.0 (X11; Ubuntu Lynx; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"'

Damn, that’s stupid.