.htaccess user agents and website security

Question

I have been looking around and trying to work out the best way to protect a few websites of mine.

Appart from the obvious manual monitoring of the site logs and banning extreme/suspicious activity. I have seen many posts etc. about banning user agents. Is this a good route to go down? and would it be a better idea too, instead off banning known bad user agents, just allowing the common mainstream ones such as IE, FireFox, Safari and Chrome?

http://www.javascriptkit.com/howto/htaccess13.shtml

What are you looking to protect from? – Shane Madden Apr 20 '12 at 00:52 — Shane Madden, Apr 20 '12 at 00:52

Andrew Schleifer · Accepted Answer · 2012-04-20T01:47:27.727

5

Not worth it.

The User Agent is sent by the client, and is trivial to forge. There's a Firefox add-on that adds alternate UA options to the menu, for example. If the attacker is writing a script, he can specify whatever UA he wants.

edited Apr 20 '12 at 01:47

answered Apr 20 '12 at 01:07

Andrew Schleifer

201
1
2

Indeed, most site suckers give you a list of UAs to impersonate, just so the web server thinks it's dealing with a regular browser. – John Gardeniers Apr 20 '12 at 03:21

.htaccess user agents and website security

1 Answers1