What do event log messages "NULL character found in the request header from x.x.x.x" mean?


Article ID: 167234


Updated On:


ProxySG Software - SGOS


These kinds of messages (found NULL characters) are almost invariably caused by non-compliant clients of one kind or another, such as viruses, adware, spyware, so it is not generally traffic that should be allowed through.

From the ProxySG Configuration and Management Guide:

The ProxySG appliance blocks malformed HTTP requests, returning a 400 Invalid Request error. The tolerant HTTP request parsing flag causes certain types of malformed requests to be processed instead of being rejected.

By default, a header line not beginning with a <Tab> or space character must consist of a header name (which contains no <Tab> or space characters), followed by a colon, followed by an optional value, or an error is reported. With tolerant request parsing enabled, a request header name is allowed to contain <Tab> or space characters, and if the request header line does not contain a colon, then the entire line is taken as the header name.

A header containing one or more <Tab> or space characters, and nothing else, is considered ambiguous. Blue Coat does not know if this is a blank continuation line or if it is the blank line that signals the end of the header section. By default, an ambiguous blank line is illegal, and an error is reported. With tolerant request parsing enabled, an ambiguous blank line is treated as the blank line that ends the header section. 

To enable the HTTP tolerant request parsing flag:

From the (config) prompt, enter the following command to enable tolerant HTTP request parsing (the default is disabled):

SGOS#(config) http tolerant-request-parsing 

To disable HTTP tolerant request parsing:

SGOS#(config) http no tolerant-request-parsing 

When HTTP tolerant request parsing is disabled, all the NULL characters found in HTTP headers are dropped.