Question about sec-ch-ua HTTP header being flag as possible XSS

Wanted to ask a question. We are getting a lot of App Firewall events where it looks like Chrome is injecting a new HTTP header named “sec-ch-ua” with a value of

“\Not;A"Brand”;v=“99”, “Google Chrome”;v=“85”, “Chromium”;v=“85”

This event looks innocuous. I did some research and below are a few articles on the header.


https://www.chromestatus.com/feature/5995832180473856

Are these events harmless, and if so, can we configure our applications to ignore the.

Hey Eric!

Yes, this event is harmless and safe to ignore. We also do have an item in our backlog to include a filter to automatically ignore these (related to the changes that you’ve outlined above regarding the sec-* headers).

1 Like