The AppCheck scanner will not use a single consistent user agent for all HTTP requests. This is for various reasons, including the use by different modules within AppCheck of different user agents, as well as more esoteric reasons such as attempts to "fuzz" the user agent string itself as a very specific vulnerability type if the metadata field is vulnerable to injection or overflow vulnerabilities, for example.
How can I allow traffic from AppCheck based on user agent?
We don't encourage using a user agent based allow-list for the following reasons:
- As outlined above, the scanner by necessity will not use a single consistent user agent in all circumstances; and
- Since the HTTP user agent is recorded unencrypted in application and proxy logs, it is vulnerable to sniffing/interception and hence spoofing - that is, an attacker could discover and provide the AppCheck user agent in their own requests, and be duly allowed by the screening network device, leaving the server vulnerable to attack
If I cannot use the user agent, how can I ensure AppCheck traffic is allowed?
Since the user agent can be spoofed, AppCheck highly recommends that traffic related to its scanners is instead allowed based on source IP address. The source IP address will be client-specific in the case of deployed internal hubs, however for the majority of scanning (all that is performed from our cloud scanners) you can view the IP source list to allow on your screening network device (eg IPS and firewall) at Allowing AppCheck Access to Your Network or Applications.