I figure it out! about 'HSTS not enforced' warning

Hi CF team,
Today I figured out the ‘HSTS not enforced’ warning in security center.

That’s because ‘Security Center’ blocked/challenged by Firewall Rules. If you open ‘Overview’ page of ‘Firewall’, you should see something like this:

Method
GET

HTTP Version
HTTP/1.1

Host
you host here

Path
/

Query string
Empty query string

User agent
python-urllib3/1.26.7

IP address
2606:4700:1101:0:59f9:ac5f:d53d:3a93

ASN
AS132892 CLOUDFLARE Cloudflare, Inc.

Country
United States

This is the second time I insist that CF team should use a CF-like UA when you send a request to everyone’s website… How hard can it be to change ‘User-Agent’ string when coding? :thinking:

I have suggested CF team uses a proper UA before:

PS: about RDP warning, I still can’t figure it out. maybe it’s also a bug I think.

1 Like

Python, eh? That’s one of the worst user agents I have problems with probing my sites.

I’ll add Cloudflare’s ASN as an Allow and see how it goes.

1 Like

Honestly, I think there’s a vurnerability if you add CF ASN to your CF firewall whitelist. CF provides serverless service(A.K.A ‘Worker’). It’s very hard to block a CF ip If someone use ‘Worker’ to visit/scan your website illegally. I think we can add CF’s ip to iptables but we should not add CF ASN(without a proper UA) to CF firewall whitelist.

1 Like

Who doesn’t block python these days?

:stuck_out_tongue:

1 Like

It did fix the HSTS warning. Now I can get rid of that Allow statement and stop wondering.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.