PyPI - aiwaf - Versions diffs - 0.1.9.3.2__py3-none-any.whl → 0.1.9.3.4__py3-none-any.whl - Mend

aiwaf 0.1.9.3.2py3-none-any.whl → 0.1.9.3.4py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of aiwaf might be problematic. Click here for more details.

Files changed (7) hide show

aiwaf/__init__.py CHANGED Viewed

@@ -1,6 +1,6 @@
 default_app_config = "aiwaf.apps.AiwafConfig"
-__version__ = "0.1.9.3.2"
+__version__ = "0.1.9.3.3"
 # Note: Middleware classes are available from aiwaf.middleware
 # Import them only when needed to avoid circular imports during Django app loading

aiwaf/middleware.py CHANGED Viewed

@@ -504,6 +504,51 @@ class AIAnomalyMiddleware(MiddlewareMixin):
         return any(malicious_indicators)
+    def _is_scanning_path(self, path):
+        """
+        Determine if a 404 path looks like automated scanning vs legitimate browsing.
+        Focus on common scanner patterns that indicate malicious intent.
+        """
+        path_lower = path.lower()
+        # Common scanning patterns that are clear indicators of malicious activity
+        scanning_patterns = [
+            # WordPress scanning
+            'wp-admin', 'wp-content', 'wp-includes', 'wp-config', 'xmlrpc.php',
+            # Admin/config scanning
+            'admin', 'phpmyadmin', 'adminer', 'config', 'configuration',
+            'settings', 'setup', 'install', 'installer',
+            # Database/backup scanning
+            'backup', 'database', 'db', 'mysql', 'sql', 'dump',
+            # System files scanning
+            '.env', '.git', '.htaccess', '.htpasswd', 'passwd', 'shadow',
+            'robots.txt', 'sitemap.xml',
+            # Common vulnerabilities
+            'cgi-bin', 'scripts', 'shell', 'cmd', 'exec',
+            # File extensions that shouldn't exist on most sites
+            '.php', '.asp', '.aspx', '.jsp', '.cgi', '.pl'
+        ]
+        # Check for scanning patterns
+        for pattern in scanning_patterns:
+            if pattern in path_lower:
+                return True
+        # Check for directory traversal attempts
+        if '../' in path or '..' in path:
+            return True
+        # Check for encoded attack patterns
+        if any(encoded in path for encoded in ['%2e%2e', '%252e', '%c0%ae']):
+            return True
+        return False
     def process_request(self, request):
         # First exemption check - early exit for exempt requests
         if is_exempt(request):
@@ -564,27 +609,27 @@ class AIAnomalyMiddleware(MiddlewareMixin):
                 # Get recent behavior data for this IP to make intelligent blocking decision
                 recent_data = [d for d in data if now - d[0] <= 300]  # Last 5 minutes
+                # Always initialize variables before use
+                recent_kw_hits = []
+                recent_404s = 0
+                recent_burst_counts = []
                 if recent_data:
-                    # Calculate behavior metrics similar to trainer.py
-                    recent_kw_hits = []
-                    recent_404s = 0
-                    recent_burst_counts = []
-                for entry_time, entry_path, entry_status, entry_resp_time in recent_data:
-                    # Calculate keyword hits for this entry
-                    entry_known_path = path_exists_in_django(entry_path)
-                    entry_kw_hits = 0
-                    if not entry_known_path and not is_exempt_path(entry_path):
-                        entry_kw_hits = sum(1 for kw in STATIC_KW if kw in entry_path.lower())
-                    recent_kw_hits.append(entry_kw_hits)
-                    # Count 404s
-                    if entry_status == 404:
-                        recent_404s += 1
-                    # Calculate burst for this entry (requests within 10 seconds)
-                    entry_burst = sum(1 for (t, _, _, _) in recent_data if abs(entry_time - t) <= 10)
-                    recent_burst_counts.append(entry_burst)
+                    for entry_time, entry_path, entry_status, entry_resp_time in recent_data:
+                        # Calculate keyword hits for this entry
+                        entry_known_path = path_exists_in_django(entry_path)
+                        entry_kw_hits = 0
+                        if not entry_known_path and not is_exempt_path(entry_path):
+                            entry_kw_hits = sum(1 for kw in STATIC_KW if kw in entry_path.lower())
+                        recent_kw_hits.append(entry_kw_hits)
+                        # Count 404s
+                        if entry_status == 404:
+                            recent_404s += 1
+                        # Calculate burst for this entry (requests within 10 seconds)
+                        entry_burst = sum(1 for (t, _, _, _) in recent_data if abs(entry_time - t) <= 10)
+                        recent_burst_counts.append(entry_burst)
                 # Calculate averages and maximums
                 avg_kw_hits = sum(recent_kw_hits) / len(recent_kw_hits) if recent_kw_hits else 0
@@ -592,28 +637,37 @@ class AIAnomalyMiddleware(MiddlewareMixin):
                 avg_burst = sum(recent_burst_counts) / len(recent_burst_counts) if recent_burst_counts else 0
                 total_requests = len(recent_data)
-                # Don't block if it looks like legitimate behavior (same thresholds as trainer.py):
+                # Enhanced 404 analysis - focus on scanning patterns
+                scanning_404s = sum(1 for (_, path, status, _) in recent_data
+                                  if status == 404 and self._is_scanning_path(path))
+                legitimate_404s = max_404s - scanning_404s
+                # Don't block if it looks like legitimate behavior:
                 if (
-                    avg_kw_hits < 2 and           # Not hitting many malicious keywords
-                    max_404s < 10 and            # Not excessive 404s
-                    avg_burst < 15 and           # Not excessive burst activity
-                    total_requests < 100         # Not excessive total requests
+                    avg_kw_hits < 3 and           # Allow some keyword hits (increased from 2)
+                    scanning_404s < 5 and        # Focus on scanning 404s, not all 404s
+                    legitimate_404s < 20 and     # Allow more legitimate 404s (typos, old links)
+                    avg_burst < 25 and           # Allow higher burst (increased from 15)
+                    total_requests < 150         # Allow more total requests (increased from 100)
                 ):
                     # Anomalous but looks legitimate - don't block
                     pass
                 else:
                     # Double-check exemption before blocking
                     if not exemption_store.is_exempted(ip):
-                        BlacklistManager.block(ip, f"AI anomaly + suspicious patterns (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f})")
+                        BlacklistManager.block(ip, f"AI anomaly + scanning 404s (total:{max_404s}, scanning:{scanning_404s}, kw:{avg_kw_hits:.1f}, burst:{avg_burst:.1f})")
                         # Check if actually blocked (exempted IPs won't be blocked)
                         if BlacklistManager.is_blocked(ip):
                             return JsonResponse({"error": "blocked"}, status=403)
             else:
-                # No recent data to analyze - be more conservative, only block on very suspicious current request
-                if kw_hits >= 2 or status_idx == STATUS_IDX.index("404"):
+                # No recent data to analyze - be more conservative
+                # Only block on multiple suspicious indicators, not single 404
+                current_scanning = self._is_scanning_path(request.path)
+                if kw_hits >= 3 and current_scanning:  # Require both high keywords AND scanning pattern
                     # Double-check exemption before blocking
                     if not exemption_store.is_exempted(ip):
-                        BlacklistManager.block(ip, "AI anomaly + immediate suspicious behavior")
+                        BlacklistManager.block(ip, f"AI anomaly + scanning behavior (kw:{kw_hits}, scanning_path:{request.path})")
                         if BlacklistManager.is_blocked(ip):
                             return JsonResponse({"error": "blocked"}, status=403)
@@ -644,10 +698,13 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
     MAX_PAGE_TIME = getattr(settings, "AIWAF_MAX_PAGE_TIME", 240)  # 4 minutes default
     def _view_accepts_method(self, request, method):
-        """Check if the current view/URL pattern accepts the specified HTTP method"""
+        """
+        Check if the current view accepts the specified HTTP method.
+        Be very conservative - only block when we're absolutely certain.
+        Handle decorator issues by being permissive when detection fails.
+        """
         try:
             from django.urls import resolve
-            from django.urls.resolvers import URLResolver, URLPattern
             # Resolve the current URL to get the view
             resolved = resolve(request.path)
@@ -657,12 +714,12 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             if hasattr(view_func, 'cls'):
                 view_class = view_func.cls
-                # Check http_method_names attribute (most reliable)
+                # Check http_method_names attribute (most reliable for CBVs)
                 if hasattr(view_class, 'http_method_names'):
                     allowed_methods = [m.upper() for m in view_class.http_method_names]
                     return method.upper() in allowed_methods
-                # Check for method-handling methods
+                # For CBVs without http_method_names, check for method handlers
                 method_handlers = {
                     'GET': ['get'],
                     'POST': ['post', 'form_valid', 'form_invalid'],
@@ -674,76 +731,30 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
                 if method.upper() in method_handlers:
                     handlers = method_handlers[method.upper()]
                     has_handler = any(hasattr(view_class, handler) for handler in handlers)
-                    if has_handler:
-                        return True
-                    # If no handler found, check if it's a common method that should be rejected
-                    if method.upper() in ['GET', 'POST', 'PUT', 'DELETE', 'PATCH']:
-                        return False
+                    return has_handler
-                # Default: assume method is allowed for class-based views
+                # Default for CBVs: be permissive
                 return True
-            # Handle function-based views
+            # Handle function-based views (including decorated ones)
             else:
-                # Check if view has explicit allowed methods
-                if hasattr(view_func, 'http_method_names'):
-                    allowed_methods = [m.upper() for m in view_func.http_method_names]
-                    return method.upper() in allowed_methods
+                # Try to unwrap decorators to get the actual view function
+                actual_func = view_func
+                while hasattr(actual_func, '__wrapped__'):
+                    actual_func = actual_func.__wrapped__
-                # For function-based views, inspect the source code
-                import inspect
-                try:
-                    source = inspect.getsource(view_func)
-                    method_upper = method.upper()
-                    # Look for method handling in the source
-                    if f'request.method' in source and method_upper in source:
-                        return True
-                    # Look for method-specific patterns
-                    method_patterns = {
-                        'GET': ['request.GET', 'GET'],
-                        'POST': ['request.POST', 'POST', 'form.is_valid()'],
-                        'PUT': ['PUT', 'request.PUT'],
-                        'DELETE': ['DELETE', 'request.DELETE']
-                    }
-                    if method.upper() in method_patterns:
-                        patterns = method_patterns[method.upper()]
-                        if any(pattern in source for pattern in patterns):
-                            return True
-                except (OSError, TypeError):
-                    # Can't get source, make educated guess
-                    pass
+                # Check if the actual function has explicit allowed methods
+                if hasattr(actual_func, 'http_method_names'):
+                    allowed_methods = [m.upper() for m in actual_func.http_method_names]
+                    return method.upper() in allowed_methods
-                # Check URL pattern name for method-specific endpoints
-                if resolved.url_name:
-                    url_name_lower = resolved.url_name.lower()
-                    # POST-only patterns
-                    post_only_patterns = ['create', 'submit', 'upload', 'process']
-                    # GET-only patterns
-                    get_only_patterns = ['list', 'detail', 'view', 'display']
-                    if method.upper() == 'POST':
-                        if any(pattern in url_name_lower for pattern in post_only_patterns):
-                            return True
-                        if any(pattern in url_name_lower for pattern in get_only_patterns):
-                            return False
-                    elif method.upper() == 'GET':
-                        if any(pattern in url_name_lower for pattern in get_only_patterns):
-                            return True
-                        if any(pattern in url_name_lower for pattern in post_only_patterns):
-                            return False
-                # Default: assume function-based views accept common methods
-                return method.upper() in ['GET', 'POST', 'HEAD', 'OPTIONS']
+                # For function-based views, be very conservative
+                # Most Django views accept both GET and POST, so default to allowing
+                return True
         except Exception as e:
-            # If we can't determine, err on the side of caution and allow
-            print(f"AIWAF: Could not determine {method} capability for {request.path}: {e}")
+            # If anything fails (decorators, imports, etc.), be permissive
+            # Better to allow a legitimate request than block it
             return True
     def process_request(self, request):
@@ -759,16 +770,25 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             return None
         if request.method == "GET":
-            # ENHANCEMENT: Check if this view accepts GET requests
+            # CONSERVATIVE: Only block GET if we're absolutely certain it's POST-only
+            # Most Django views accept both GET and POST (forms show on GET, process on POST)
             if not self._view_accepts_method(request, 'GET'):
-                # This view is POST-only, but received a GET - likely scanning/probing
-                if not exemption_store.is_exempted(ip):
-                    BlacklistManager.block(ip, f"GET to POST-only view: {request.path}")
-                    if BlacklistManager.is_blocked(ip):
-                        return JsonResponse({
-                            "error": "blocked",
-                            "message": f"GET not allowed for {request.path}"
-                        }, status=405)  # Method Not Allowed
+                # EXTRA CHECK: Only block if path looks like obvious POST-only API endpoint
+                path_lower = request.path.lower()
+                obvious_post_only = any(path_lower.endswith(pattern) for pattern in [
+                    '/create/', '/submit/', '/upload/', '/delete/', '/process/'
+                ])
+                if obvious_post_only:
+                    # This is very likely a POST-only endpoint getting a GET
+                    if not exemption_store.is_exempted(ip):
+                        BlacklistManager.block(ip, f"GET to obvious POST-only endpoint: {request.path}")
+                        if BlacklistManager.is_blocked(ip):
+                            return JsonResponse({
+                                "error": "blocked",
+                                "message": f"GET not allowed for {request.path}"
+                            }, status=405)  # Method Not Allowed
+                # Otherwise, don't block - could be a decorated view or complex form
             # Store timestamp for this IP's GET request
             # Use a general key for the IP, not path-specific
@@ -868,3 +888,270 @@ class UUIDTamperMiddleware(MiddlewareMixin):
             # Check if actually blocked (exempted IPs won't be blocked)
             if BlacklistManager.is_blocked(ip):
                 return JsonResponse({"error": "blocked"}, status=403)
+class HeaderValidationMiddleware(MiddlewareMixin):
+    """
+    Validates HTTP headers to detect bots and malicious requests
+    """
+    # Standard browser headers that legitimate requests should have
+    REQUIRED_HEADERS = [
+        'HTTP_USER_AGENT',
+        'HTTP_ACCEPT',
+    ]
+    # Headers that browsers typically send
+    BROWSER_HEADERS = [
+        'HTTP_ACCEPT_LANGUAGE',
+        'HTTP_ACCEPT_ENCODING',
+        'HTTP_CONNECTION',
+        'HTTP_CACHE_CONTROL',
+    ]
+    # Suspicious User-Agent patterns
+    SUSPICIOUS_USER_AGENTS = [
+        r'bot',
+        r'crawler',
+        r'spider',
+        r'scraper',
+        r'curl',
+        r'wget',
+        r'python',
+        r'java',
+        r'node',
+        r'go-http',
+        r'axios',
+        r'okhttp',
+        r'libwww',
+        r'lwp-trivial',
+        r'mechanize',
+        r'requests',
+        r'urllib',
+        r'httpie',
+        r'postman',
+        r'insomnia',
+        r'^$',  # Empty user agent
+        r'mozilla/4\.0$',  # Fake old browser
+        r'mozilla/5\.0$',  # Incomplete mozilla string
+    ]
+    # Known legitimate bot user agents to whitelist
+    LEGITIMATE_BOTS = [
+        r'googlebot',
+        r'bingbot',
+        r'slurp',  # Yahoo
+        r'duckduckbot',
+        r'baiduspider',
+        r'yandexbot',
+        r'facebookexternalhit',
+        r'twitterbot',
+        r'linkedinbot',
+        r'whatsapp',
+        r'telegrambot',
+        r'applebot',
+        r'pingdom',
+        r'uptimerobot',
+        r'statuscake',
+        r'site24x7',
+    ]
+    # Suspicious header combinations
+    SUSPICIOUS_COMBINATIONS = [
+        # High version HTTP with old user agent
+        {
+            'condition': lambda headers: (
+                headers.get('SERVER_PROTOCOL', '').startswith('HTTP/2') and
+                'mozilla/4.0' in headers.get('HTTP_USER_AGENT', '').lower()
+            ),
+            'reason': 'HTTP/2 with old browser user agent'
+        },
+        # No Accept header but has User-Agent
+        {
+            'condition': lambda headers: (
+                headers.get('HTTP_USER_AGENT') and
+                not headers.get('HTTP_ACCEPT')
+            ),
+            'reason': 'User-Agent present but no Accept header'
+        },
+        # Accept */* only (very generic)
+        {
+            'condition': lambda headers: (
+                headers.get('HTTP_ACCEPT') == '*/*' and
+                not any(h in headers for h in ['HTTP_ACCEPT_LANGUAGE', 'HTTP_ACCEPT_ENCODING'])
+            ),
+            'reason': 'Generic Accept header without language/encoding'
+        },
+        # No browser-standard headers at all
+        {
+            'condition': lambda headers: (
+                headers.get('HTTP_USER_AGENT') and
+                not any(headers.get(h) for h in ['HTTP_ACCEPT_LANGUAGE', 'HTTP_ACCEPT_ENCODING', 'HTTP_CONNECTION'])
+            ),
+            'reason': 'Missing all browser-standard headers'
+        },
+        # Suspicious HTTP version patterns
+        {
+            'condition': lambda headers: (
+                'HTTP_USER_AGENT' in headers and
+                headers.get('SERVER_PROTOCOL') == 'HTTP/1.0' and
+                'chrome' in headers.get('HTTP_USER_AGENT', '').lower()
+            ),
+            'reason': 'Modern browser with HTTP/1.0'
+        }
+    ]
+    def process_request(self, request):
+        # Skip if request is exempted
+        if is_exempt(request):
+            return None
+        ip = get_ip(request)
+        # Check IP-level exemption
+        from .storage import get_exemption_store
+        exemption_store = get_exemption_store()
+        if exemption_store.is_exempted(ip):
+            return None
+        # Skip for static files and common paths
+        if self._is_static_request(request):
+            return None
+        # Get headers from request.META
+        headers = request.META
+        # Check for missing required headers
+        missing_headers = self._check_missing_headers(headers)
+        if missing_headers:
+            return self._block_request(ip, f"Missing required headers: {', '.join(missing_headers)}", request.path)
+        # Check for suspicious user agent
+        suspicious_ua = self._check_user_agent(headers.get('HTTP_USER_AGENT', ''))
+        if suspicious_ua:
+            return self._block_request(ip, f"Suspicious user agent: {suspicious_ua}", request.path)
+        # Check for suspicious header combinations
+        suspicious_combo = self._check_header_combinations(headers)
+        if suspicious_combo:
+            return self._block_request(ip, f"Suspicious headers: {suspicious_combo}", request.path)
+        # Check header quality score
+        quality_score = self._calculate_header_quality(headers)
+        if quality_score < 3:  # Threshold for suspicion
+            return self._block_request(ip, f"Low header quality score: {quality_score}", request.path)
+        return None
+    def _is_static_request(self, request):
+        """Check if this is a request for static files"""
+        static_extensions = ['.css', '.js', '.png', '.jpg', '.jpeg', '.gif', '.ico', '.svg', '.woff', '.woff2', '.ttf']
+        path = request.path.lower()
+        # Check file extensions
+        if any(path.endswith(ext) for ext in static_extensions):
+            return True
+        # Check static paths
+        static_paths = ['/static/', '/media/', '/assets/', '/favicon.ico']
+        if any(path.startswith(static_path) for static_path in static_paths):
+            return True
+        return False
+    def _check_missing_headers(self, headers):
+        """Check for missing required headers"""
+        missing = []
+        for header in self.REQUIRED_HEADERS:
+            if not headers.get(header):
+                missing.append(header.replace('HTTP_', '').replace('_', '-').lower())
+        return missing
+    def _check_user_agent(self, user_agent):
+        """Check if user agent is suspicious"""
+        if not user_agent:
+            return "Empty user agent"
+        user_agent_lower = user_agent.lower()
+        # Check if it's a legitimate bot first
+        for legitimate_pattern in self.LEGITIMATE_BOTS:
+            if re.search(legitimate_pattern, user_agent_lower):
+                return None  # Allow legitimate bots
+        # Check for suspicious patterns
+        for suspicious_pattern in self.SUSPICIOUS_USER_AGENTS:
+            if re.search(suspicious_pattern, user_agent_lower, re.IGNORECASE):
+                return f"Pattern: {suspicious_pattern}"
+        # Check for very short user agents (likely fake)
+        if len(user_agent) < 10:
+            return "Too short"
+        # Check for very long user agents (possibly malicious)
+        if len(user_agent) > 500:
+            return "Too long"
+        return None
+    def _check_header_combinations(self, headers):
+        """Check for suspicious header combinations"""
+        for combo in self.SUSPICIOUS_COMBINATIONS:
+            try:
+                if combo['condition'](headers):
+                    return combo['reason']
+            except Exception:
+                # If condition check fails, skip it
+                continue
+        return None
+    def _calculate_header_quality(self, headers):
+        """Calculate a quality score based on header completeness"""
+        score = 0
+        # Basic required headers (2 points each)
+        if headers.get('HTTP_USER_AGENT'):
+            score += 2
+        if headers.get('HTTP_ACCEPT'):
+            score += 2
+        # Browser-standard headers (1 point each)
+        for header in self.BROWSER_HEADERS:
+            if headers.get(header):
+                score += 1
+        # Bonus points for realistic combinations
+        if headers.get('HTTP_ACCEPT_LANGUAGE') and headers.get('HTTP_ACCEPT_ENCODING'):
+            score += 1
+        if headers.get('HTTP_CONNECTION') == 'keep-alive':
+            score += 1
+        # Check for realistic Accept header
+        accept = headers.get('HTTP_ACCEPT', '')
+        if 'text/html' in accept and 'application/xml' in accept:
+            score += 1
+        return score
+    def _block_request(self, ip, reason, path):
+        """Block the request and return error response"""
+        from .storage import get_exemption_store
+        exemption_store = get_exemption_store()
+        # Double-check exemption before blocking
+        if not exemption_store.is_exempted(ip):
+            BlacklistManager.block(ip, f"Header validation: {reason}")
+            # Check if actually blocked (exempted IPs won't be blocked)
+            if BlacklistManager.is_blocked(ip):
+                return JsonResponse({
+                    "error": "blocked",
+                    "message": "Request blocked due to suspicious headers",
+                    "path": path
+                }, status=403)
+        return None

{aiwaf-0.1.9.3.2.dist-info → aiwaf-0.1.9.3.4.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aiwaf
-Version: 0.1.9.3.2
+Version: 0.1.9.3.4
 Summary: AI-powered Web Application Firewall
 Home-page: https://github.com/aayushgauba/aiwaf
 Author: Aayush Gauba
@@ -34,6 +34,7 @@ Dynamic: requires-python
 - ✅ **Enhanced Configuration** - `AIWAF_ALLOWED_PATH_KEYWORDS` and `AIWAF_EXEMPT_KEYWORDS`
 - ✅ **Comprehensive HTTP Method Validation** - Blocks GET→POST-only, POST→GET-only, unsupported REST methods
 - ✅ **Enhanced Honeypot Protection** - POST validation & 4-minute page timeout with smart reload detection
+- ✅ **HTTP Header Validation** - Comprehensive bot detection via header analysis and quality scoring
 ---
@@ -113,6 +114,50 @@ aiwaf/
 - **File‑Extension Probing Detection**
   Tracks repeated 404s on common extensions (e.g. `.php`, `.asp`) and blocks IPs.
+- **🆕 HTTP Header Validation**
+  Advanced header analysis to detect bots and malicious requests:
+  - **Missing Required Headers** - Blocks requests without User-Agent or Accept headers
+  - **Suspicious User-Agents** - Detects curl, wget, python-requests, automated tools
+  - **Header Quality Scoring** - Calculates realism score based on browser-standard headers
+  - **Legitimate Bot Whitelist** - Allows Googlebot, Bingbot, and other search engines
+  - **Header Combination Analysis** - Detects impossible combinations (HTTP/2 + old browsers)
+  - **Static File Exemption** - Skips validation for CSS, JS, images
+## 🛡️ Header Validation Middleware Features
+The **HeaderValidationMiddleware** provides advanced bot detection through HTTP header analysis:
+### **What it detects:**
+- **Missing Headers**: Requests without standard browser headers
+- **Suspicious User-Agents**: WordPress scanners, exploit tools, basic scrapers
+- **Bot-like Patterns**: Low header diversity, missing Accept headers
+- **Quality Scoring**: 0-11 point system based on header completeness
+### **What it allows:**
+- **Legitimate Browsers**: Chrome, Firefox, Safari, Edge with full headers
+- **Search Engine Bots**: Google, Bing, DuckDuckGo, Yandex crawlers
+- **API Clients**: Properly identified with good headers
+- **Static Files**: CSS, JS, images (automatically exempted)
+### **Real-world effectiveness:**
+```
+✅ Blocks: WordPress scanners, exploit bots, basic scrapers
+✅ Allows: Real browsers, legitimate bots, API clients
+✅ Quality Score: 10/11 = Legitimate, 2/11 = Suspicious bot
+```
+### **Testing header validation:**
+```bash
+# Test with curl (will be blocked - low quality headers)
+curl http://yoursite.com/
+# Test with browser (will be allowed - high quality headers)
+# Visit site normally in Chrome/Firefox
+# Check logs for header validation blocks
+python manage.py aiwaf_logging --recent
+```
 - **Enhanced Timing-Based Honeypot**
   Advanced GET→POST timing analysis with comprehensive HTTP method validation:
   - Submit forms faster than `AIWAF_MIN_FORM_TIME` seconds (default: 1 second)
@@ -859,7 +904,3 @@ This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) f
 ---
-## Credits
-**AI‑WAF** by [Aayush Gauba](https://github.com/aayushgauba)
-> "Let your firewall learn and evolve — keep your site a fortress." your Django `INSTALLED_APPS` to avoid setup errors.

{aiwaf-0.1.9.3.2.dist-info → aiwaf-0.1.9.3.4.dist-info}/RECORD RENAMED Viewed

@@ -1,8 +1,8 @@
-aiwaf/__init__.py,sha256=fq7wKNHdppvinnY5O4ZO5Tuh4nMAb55g0UzRWT5OMDY,220
+aiwaf/__init__.py,sha256=Rnla6te9DNqQBP_HMEdhUdQdj9dd4ECcAr6F62Xs4-A,220
 aiwaf/apps.py,sha256=nCez-Ptlv2kaEk5HenA8b1pATz1VfhrHP1344gwcY1A,142
 aiwaf/blacklist_manager.py,sha256=LYCeKFB-7e_C6Bg2WeFJWFIIQlrfRMPuGp30ivrnhQY,1196
 aiwaf/decorators.py,sha256=IUKOdM_gdroffImRZep1g1wT6gNqD10zGwcp28hsJCs,825
-aiwaf/middleware.py,sha256=yvnJyMCBPoWZX4MMi5q6bg77HnJyusRPxEyKPb5sRDE,40032
+aiwaf/middleware.py,sha256=_Erl9GGf1nrfywfghX1NU4CTuveugDlyTgP3sxu6h_A,49928
 aiwaf/middleware_logger.py,sha256=LWZVDAnjh6CGESirA8eMbhGgJKB7lVDGRQqVroH95Lo,4742
 aiwaf/models.py,sha256=vQxgY19BDVMjoO903UNrTZC1pNoLltMU6wbyWPoAEns,2719
 aiwaf/storage.py,sha256=pUXE3bm7aRrABh_B6jTOBUQOYK67oQmHaR9EqyOasis,14038
@@ -29,8 +29,8 @@ aiwaf/management/commands/test_exemption_fix.py,sha256=ngyGaHUCmQQ6y--6j4q1viZJt
 aiwaf/resources/model.pkl,sha256=5t6h9BX8yoh2xct85MXOO60jdlWyg1APskUOW0jZE1Y,1288265
 aiwaf/templatetags/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 aiwaf/templatetags/aiwaf_tags.py,sha256=XXfb7Tl4DjU3Sc40GbqdaqOEtKTUKELBEk58u83wBNw,357
-aiwaf-0.1.9.3.2.dist-info/licenses/LICENSE,sha256=Ir8PX4dxgAcdB0wqNPIkw84fzIIRKE75NoUil9RX0QU,1069
-aiwaf-0.1.9.3.2.dist-info/METADATA,sha256=9RO4jqkSoRP3p-xZN4Zsofbwg8GEG2LlfOVMqMWhYrQ,28987
-aiwaf-0.1.9.3.2.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-aiwaf-0.1.9.3.2.dist-info/top_level.txt,sha256=kU6EyjobT6UPCxuWpI_BvcHDG0I2tMgKaPlWzVxe2xI,6
-aiwaf-0.1.9.3.2.dist-info/RECORD,,
+aiwaf-0.1.9.3.4.dist-info/licenses/LICENSE,sha256=Ir8PX4dxgAcdB0wqNPIkw84fzIIRKE75NoUil9RX0QU,1069
+aiwaf-0.1.9.3.4.dist-info/METADATA,sha256=bgaJr_xz1U7y_wXrB0xkgXn_LPJknN_9FeTN5Bahe3c,30790
+aiwaf-0.1.9.3.4.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+aiwaf-0.1.9.3.4.dist-info/top_level.txt,sha256=kU6EyjobT6UPCxuWpI_BvcHDG0I2tMgKaPlWzVxe2xI,6
+aiwaf-0.1.9.3.4.dist-info/RECORD,,

{aiwaf-0.1.9.3.2.dist-info → aiwaf-0.1.9.3.4.dist-info}/WHEEL RENAMED Viewed

File without changes

{aiwaf-0.1.9.3.2.dist-info → aiwaf-0.1.9.3.4.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

{aiwaf-0.1.9.3.2.dist-info → aiwaf-0.1.9.3.4.dist-info}/top_level.txt RENAMED Viewed

File without changes

aiwaf 0.1.9.3.2__py3-none-any.whl → 0.1.9.3.4__py3-none-any.whl

Potentially problematic release.

aiwaf 0.1.9.3.2py3-none-any.whl → 0.1.9.3.4py3-none-any.whl