Blocking Empty User Agent String

We get a significant amount of traffic in which the User Agent String is completely empty. Often, these requests are engaged in SQL Injection attempts, but not every one of these requests is detected as SQL Injection because the requester intersperses legitimate requests into their stream.

Do you recommend that we create a Firewall Rule that will block all traffic which has an empty user agent string? Is that a good idea? Are there legitimate examples in which HTTP/HTTPS traffic would have a completely empty user agent string? Or should we use “User Agent Blocking”? (Not sure if one can create a user agent blocking rule for empty user agent strings.)

I suppose if we created such a rule the perpetrators would simply add some (random) user agent string to their page requests?

What do other Cloudflare experts do to handle this?

You could try issuing a challenge to empty user-agent strings. In my experience an empty string would be very, very rare for a real user but I’m sure some privacy nuts may have something that do it (most just send a generic string rather than empty though I think). A challenge is enough to block an automated tool whilst only being a minor inconvenience for anyone really passing no user agent - and probably something that someone doing that would be kind of used to, I’d imagine.

EDIT: I’m assuming you’re running a ‘normal’ web site and not some kind of service with all manner of apps, iot device, api calls etc hitting you. Obviously you need to think twice if you do anything like that.

Cloudflare already has it, you only need to enable it because Cloudflare disable this rule by default:


For info, that’s on ‘Pro’ accounts (and above ).

This topic was automatically closed after 30 days. New replies are no longer allowed.