Big IP identifies header reordering as man in the middle attack and throws an error
Last Updated August 08, 2012
A customer uses BlueCoat to go to a website that uses Big IP framework to identify man-in-the-middle attacks. The Big IP framework identifies header reordering as such an attack and throws an error, resulting in the inability to access the secured website
Bluecoat passes the content-length header in the beginning, Symantec DLP re-orders the Content-length header because of a potential HTTP redaction. In a case where HTTP redaction is used we would change the HTTP body. As a result the initial Content-length will be extracted in anticipation of a value changing.After extracting, we hold onto the value and append it to the end of the headers later on (after any possible modification due to redaction).
The header reordering only occurs with Proxies that have the content-length header in the beginning of the object.