Is it possible that some firewall modify 'Accept-Encoding'? Though it seems okay in Fiddler

Question

I added a rule on APACHE for HTTP Compression. The rule is surely okay but Fiddler displays the response is not gzipped.(I tested curl for localhost, the response is gzipped)

I suspect a firewall modifies the request header's Accept-Encoding into something different. Even though Fiddler displays that the request header includes Accept-Encoding.

I mean if Fiddler says your Accept-Encoding is like this..., but actually it's not. I just want to make sure before contact the firewall vendor.

And.. this is just for my curiosity, how does Accept-Encoding something do to with security?

Answer 1

Some firewalls and security software will mangle or remove an outbound ACCEPT-ENCODING header in order to prevent the server from using HTTP Compression to compress the response. Firewalls/security software sometimes prefer not to have to decompress responses before scanning (either because they don't know how to decompress, or because decompression takes CPU time).

Fiddler shows you the HTTP headers before they've left your computer and thus before they've been mangled by a firewall or an upstream gateway.

You can easily see the outbound headers from your HTTP request; see https://bayden.com/echo2.aspx and https://bayden.com/echo2.aspx to see the headers sent from the client. Note that HTTPS-request headers might be intact even if the HTTP-request headers are mangled, because intermediaries generally cannot interfere with HTTPS traffic.