HTTP response contains a space

Our firewall vendor has published a threat signature update detecting Cobalt Strike potential C2 traffic where the web server returns HTTP response with a after the reason-Phrase e.g. HTTP/1.1 200 OK, instead of HTTP/1.1 200 OK

The signature has matched quite a number of websites which all are proxied through Cloudflare e.g.

www.jag.com.au

Is this something Cloudflare has done deliberately? What is the reason behind that?
Thanks.

My assumption would be this comes straight from their servers.

However, a trailing space is valid according to the specification at RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.