Knowledge Search


[Juniper WebApp Secure] AJAX call with "x-requested-with" header fails when going through JWAS

  [KB28324] Show Article Properties

HTTP requests can fail when the relevant header is missing in the Predefined Request Headers list of Juniper WebApp Secure (JWAS) (aka Mykonos)

When running a page containing an AJAX call, a check for the header variable "X-Requested-With: XMLHttpRequest" is performed to prevent direct access. When the request is through JWAS, the call fails.
The AJAX calls fails as JWAS strips off the unknown headers. This causes the call to fail since this check fails and is believed to be an invalid request by the end server.
The issue occurs as this header is missing from the JWAS standard header request list; thus the request doesn’t go through.

The solution is to add the header via JWAS WebUI. 
  1. Select: Configuration > Processors > Header Processor > Known Request Headers
  2. Click on Add and add "x-requested-with" as the header name
  3. Set:
    • Order to 1
    • Allow Multiple to True
    • Required to False
    • Illegal to False
    • Removable to False
  4. Save the configuration and thereafter the request goes through fine.
Modification History:
2019-03-25: content reviewed for accuracy
Related Links: