fix(default-config): must-accept-rule on browsers only (#1350)

Xe · web-flow · commit 9d9be61c2400 · 2025-12-19T20:42:24.000Z
TIL docker clients don't include the Accept header all the time. I would have thought they did that. Oops. Closes: #1346 Signed-off-by: Xe Iaso <me@xeiaso.net>
diff --git a/data/botPolicies.yaml b/data/botPolicies.yaml
@@ -134,7 +134,10 @@ bots:
       adjust: -5
 
   - name: should-have-accept
-    expression: '!("Accept" in headers)'
+    expression:
+      all:
+        - userAgent.contains("Mozilla")
+        - '!("Accept" in headers)'
     action: WEIGH
     weight:
       adjust: 5
diff --git a/data/meta/default-config.yaml b/data/meta/default-config.yaml
@@ -118,7 +118,10 @@
     adjust: -5
 
 - name: should-have-accept
-  expression: '!("Accept" in headers)'
+  expression:
+    all:
+      - userAgent.contains("Mozilla")
+      - '!("Accept" in headers)'
   action: WEIGH
   weight:
     adjust: 5
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
@@ -27,6 +27,7 @@ Anubis is back and better than ever! Lots of minor fixes with some big ones inte
 - Add support to simple Valkey/Redis cluster mode
 - Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. ([1283](https://github.com/TecharoHQ/anubis/pull/1283))
 - Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
+- Refine the check that ensures the presence of the Accept header to avoid breaking docker clients.
 
 ### Dataset poisoning
 
