Target Blank User Agent

Category: Blog • Posted by Jeff Starr • Updated:

How to target a blank or empty User Agent using .htaccess.


Here is the magic regex:


For example, here we are preventing spam by blocking no-referrer requests:

RewriteCond %{REQUEST_URI} wp-comments-post\.php
RewriteCond %{HTTP_REFERER} !(.*)example\.com(.*) [OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* [R=301,L]

Detecting blank user agents is essential to this technique, as evidenced in the penultimate line.

What about..

You may have been thinking that this works just fine:


While that does match blank or empty user agents in most cases, it doesn’t catch the ones that are reported with a single dash, like so:


Granted this is not that common, but it does happen.

So to catch the dash OR empty user agent, ^-?$ is gonna be your best bet.


Back in the day, I used to target and block empty user agents, because they were only used by bad actors and malicious scripts, etc. Then a few years went by and Facebook actually started using the blank UA (amazingly bad move). Then other developers followed suit and also started using it. Fast-forward to today, and the blank user-agent string is used all over the place. So it’s not a good idea to block wholesale, say, all requests made without a UA. The technique remains useful for other purposes, however, just not anything in the blacklist/blocking department.

It’s too bad too, because blocking the empty UA once was a super-effective method for stopping potential attacks.