Strange user requests in access logs
<p>I was evaluating the access logs of our reverse proxy and noticed some strange user requests. </p><p>A normal request should be for the user to access a page with a form through a GET request, for example: XXX.XXX.XXX.XXX www.example.de - [25/Jul/2023:07: 31:01 0200] GET /routetoform/ HTTP/1.1" 200 TO ORIGIN "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/114.0.1823.82 Version/ 16.0 Mobile/15E148 Safari/604.1"</p><p>Then, when the user submits the form: 0200] "POST /routetoform/ HTTP/1.1" 200 TO ORIGIN "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/114.0.1823.82 Version/16.0 Mobile /15E148 Safari/604.1"</p><p>But I found that many requests start with the second line, which is the POST request, without the first line. So the user directly sends the form without even seeing it. </p><p>The user agent is always iPhone Safari: Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/114.0.1823.82 Version/16.0 Mobile/15E148 Safari/604.1</p><p>My thought was "Hey, maybe the user device just got a new IP address before sending the POST request. So I searched by user agent, but found no other records. </p><p>So, the user does enter the POST request directly. </p><p>I tried to find information about this behavior on the web but was unsuccessful. <br /><br />Does anyone have any ideas what could be causing this? The user agent doesn't really point to a bot, and who on earth could get to the page with a "I just submitted the form" request? </p><p><br /></p>
