Whitelist format of key HTTP request headers

[dune73]

We are blacklisting illegal request headers, but with Apache concatenating duplicate headers before we get a chance to count them etc. it makes sense to whitelist the format of several request headers.

Candidates:

• Host
• Accept
• Accept-Language (benefit?)
• Accept-Encoding
• Cache-Control (benefit?)
• Connection
• Content-Type
• Cookie (viable?)
• If-Modified-Since (benefit?)
• Range
• Referer (viable?)
• User-Agent (viable?)

This is meant for CRS 3.2.

Also see #1137.

[ghost]

Let me look into this. I've studied these headers pretty extensively. There are over 100 ones, including crazy ones that are deprecated but you see a lot in legacy apps that might use ModSecurity such as the Pragma header.

[dune73]

Compared to the other issue you picked, this one is really big and complex as it touches on many different aspects of CRS. If you pick this, it will accompany you for months. By the end, you will understand the inner mechanics of CRS throughly, but you could also become overwhelmed along the way. Unsure how to advice you. Smaller bites are probably easier to swallow.

[ghost]

Thanks for the heads up @dune73. Glad I didn't walk into this thinking it was way easier than it actually was. Will not do for the time being.

[github-actions]

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

[dune73]

I still plan to follow up on this.