Question about sec-ch-ua HTTP header being flag as possible XSS

Wanted to ask a question. We are getting a lot of App Firewall events where it looks like Chrome is injecting a new HTTP header named “sec-ch-ua” with a value of

“\Not;A"Brand”;v=“99”, “Google Chrome”;v=“85”, “Chromium”;v=“85”

This event looks innocuous. I did some research and below are a few articles on the header.

https://www.chromestatus.com/feature/5995832180473856

Are these events harmless, and if so, can we configure our applications to ignore the.

Hey Eric!

Yes, this event is harmless and safe to ignore. We also do have an item in our backlog to include a filter to automatically ignore these (related to the changes that you’ve outlined above regarding the sec-* headers).

2 Likes

Hello. Quick question. Have you all made any progress on filtering these items out. They are causing us to get alerts on legitimate traffic.

Hey Eric! We actually pushed out a blanket policy to ignore sec-ch-ua header matching tc-xss4 pattern last night…let me know how it goes!

I have confirmed that the rule is in place. Thanks @bria_grangard

1 Like