Is lack of User-Agent in HTTP request valid?

Question

We\'ve noticed that from time to time we will get a HTTP request without a valid User-Agent string. Is there any valid real-world case for accepting this type of HTTP request?

Answer 1

From my experience, there is not Legitimate use case, at least no common one.

From my server logs, all requests without a user agent are malicious. All come from bots.

In theory, someone who "really cares about privacy" could do this. It depends on what service you're providing. I run a couple of websites. People not using browsers are not my clients.

While it's true that it's trivial for a developer of malicious bots to add a user agent (fake one like Chrome), it doesn't mean it's not illegitimate in intention.