AWS waf documentation change
Summary
Added warning about non-standard HTTP libraries triggering SignalNonBrowserUserAgent rule, with testing recommendations.
Security assessment
Documents false-positive avoidance for security feature (Bot Control) but doesn't indicate a specific security vulnerability fix.
Diff
diff --git a/waf/latest/developerguide/waf-bot-control-false-positives.md b/waf/latest/developerguide/waf-bot-control-false-positives.md index 7e944f8f5..f109ecc0a 100644 --- a//waf/latest/developerguide/waf-bot-control-false-positives.md +++ b//waf/latest/developerguide/waf-bot-control-false-positives.md @@ -35,0 +36,4 @@ Situations where you might encounter false positives include the following: +###### Important + +If your mobile app uses a non-standard HTTP library, or if users access your site through in-app browsers (such as links opened from social media apps), these clients may trigger the `SignalNonBrowserUserAgent` rule. Standard native mobile frameworks are excluded from this rule, but other non-browser user agents are not. Plan to test and add exceptions before enabling Bot Control in block mode. For an example, see [Bot Control example: Creating an exception for a blocked user agent](./waf-bot-control-example-user-agent-exception.html). +