{"id":1734203,"date":"2026-07-13T11:52:01","date_gmt":"2026-07-13T09:52:01","guid":{"rendered":"https:\/\/blog.wedos.com\/?p=1734203"},"modified":"2026-07-14T09:44:41","modified_gmt":"2026-07-14T07:44:41","slug":"proc-je-curl-bez-user-agent-problem","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/proc-je-curl-bez-user-agent-problem","title":{"rendered":"Pro\u010d je CURL bez User-Agent probl\u00e9m?"},"content":{"rendered":"\n<p>Ob\u010das se na n\u00e1s obrac\u00ed z\u00e1kazn\u00edci s dotazem, pro\u010d jejich skript, monitoring nebo integrace najednou dost\u00e1v\u00e1 odpov\u011b\u010f 401, zat\u00edmco stejn\u00e1 URL v prohl\u00ed\u017ee\u010di funguje bez probl\u00e9m\u016f. Ve velk\u00e9 \u010d\u00e1sti p\u0159\u00edpad\u016f je odpov\u011b\u010f p\u0159ekvapiv\u011b jednoduch\u00e1: po\u017eadavek p\u0159ich\u00e1z\u00ed bez hlavi\u010dky User-Agent, nebo s pr\u00e1zdnou hodnotou. A to je z pohledu modern\u00ed webov\u00e9 bezpe\u010dnosti probl\u00e9m. Poj\u010fme si vysv\u011btlit pro\u010d, co na to \u0159\u00edkaj\u00ed standardy a jak to spr\u00e1vn\u011b vy\u0159e\u0161it.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Co \u0159\u00edk\u00e1 standard<\/h2>\n\n\n\n<p>Hlavi\u010dka User-Agent nen\u00ed \u017e\u00e1dn\u00e1 novinka ani kosmetick\u00e1 z\u00e1le\u017eitost. Definuje ji p\u0159\u00edmo z\u00e1kladn\u00ed specifikace protokolu HTTP, aktu\u00e1ln\u011b RFC 9110 (HTTP Semantics), v sekci 10.1.5. Formulace je jednozna\u010dn\u00e1: klient by m\u011bl (SHOULD) pos\u00edlat hlavi\u010dku User-Agent v ka\u017ed\u00e9m po\u017eadavku. Terminologie SHOULD podle RFC 2119 znamen\u00e1, \u017ee vynech\u00e1n\u00ed je p\u0159\u00edpustn\u00e9 jen ve v\u00fdjime\u010dn\u00fdch, dob\u0159e od\u016fvodn\u011bn\u00fdch p\u0159\u00edpadech, a klient si mus\u00ed b\u00fdt v\u011bdom d\u016fsledk\u016f.<\/p>\n\n\n\n<p>Po\u017eadavek bez User-Agent tedy technicky nen\u00ed nevalidn\u00ed HTTP. Je ale v rozporu s doporu\u010den\u00edm standardu, a to z dobr\u00e9ho d\u016fvodu. Specifikace p\u0159\u00edmo uv\u00e1d\u00ed, k \u010demu hlavi\u010dka slou\u017e\u00ed: k identifikaci klienta pro \u00fa\u010dely statistik, lad\u011bn\u00ed probl\u00e9m\u016f a p\u0159izp\u016fsoben\u00ed odpov\u011bd\u00ed. Klient, kter\u00fd se odm\u00edt\u00e1 jakkoli identifikovat, se dobrovoln\u011b vzd\u00e1v\u00e1 mo\u017enosti, aby s n\u00edm server jednal jako s legitimn\u00edm prot\u011bj\u0161kem.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Curl s\u00e1m o sob\u011b User-Agent pos\u00edl\u00e1<\/h2>\n\n\n\n<p>D\u016fle\u017eit\u00fd fakt, kter\u00fd se v diskuz\u00edch \u010dasto p\u0159ehl\u00ed\u017e\u00ed: curl pos\u00edl\u00e1 User-Agent zcela automaticky. Ka\u017ed\u00fd b\u011b\u017en\u00fd po\u017eadavek p\u0159es curl obsahuje hlavi\u010dku ve tvaru:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User-Agent: curl\/8.5.0\n<\/code><\/pre>\n\n\n\n<p>Stejn\u011b se chovaj\u00ed wget, Python requests, Guzzle, Axios i prakticky v\u0161echny dal\u0161\u00ed HTTP knihovny. Kdy\u017e tedy na server doraz\u00ed po\u017eadavek \u00fapln\u011b bez User-Agent, znamen\u00e1 to jedin\u00e9: n\u011bkdo si hlavi\u010dku aktivn\u011b odstranil (typicky p\u0159ep\u00edna\u010dem <code>-A \"\"<\/code> nebo <code>-H \"User-Agent:\"<\/code>), nebo jde o vlastn\u00ed n\u00edzko\u00farov\u0148ovou implementaci HTTP klienta. Ani jedno nen\u00ed chov\u00e1n\u00ed b\u011b\u017en\u00e9ho legitimn\u00edho software. Naopak, je to typick\u00fd otisk skener\u016f zranitelnost\u00ed, spam bot\u016f, scraper\u016f a dal\u0161\u00edch automatizovan\u00fdch n\u00e1stroj\u016f, kter\u00e9 se sna\u017e\u00ed neb\u00fdt identifikovateln\u00e9.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chyb\u011bj\u00edc\u00ed User-Agent jako bezpe\u010dnostn\u00ed sign\u00e1l<\/h2>\n\n\n\n<p>Pr\u00e1v\u011b proto se absence nebo pr\u00e1zdn\u00e1 hodnota User-Agent stala v oboru zaveden\u00fdm indik\u00e1torem podez\u0159el\u00e9ho provozu. N\u011bkolik konkr\u00e9tn\u00edch p\u0159\u00edklad\u016f z praxe:<\/p>\n\n\n\n<p>OWASP Core Rule Set, referen\u010dn\u00ed sada pravidel pro ModSecurity a dal\u0161\u00ed WAF \u0159e\u0161en\u00ed, obsahuje pravidlo 920320 (Missing User Agent Header), kter\u00e9 chyb\u011bj\u00edc\u00ed hlavi\u010dku p\u0159\u00edmo penalizuje ve sk\u00f3re anom\u00e1li\u00ed. Velk\u00e9 CDN a bezpe\u010dnostn\u00ed slu\u017eby, v\u010detn\u011b Cloudflare nebo AWS WAF, s chyb\u011bj\u00edc\u00edm \u010di pr\u00e1zdn\u00fdm User-Agent pracuj\u00ed jako s jedn\u00edm ze sign\u00e1l\u016f pro challenge nebo blokaci. Anal\u00fdzy provozu dlouhodob\u011b ukazuj\u00ed, \u017ee pod\u00edl \u0161kodliv\u00fdch po\u017eadavk\u016f mezi provozem bez User-Agent je \u0159\u00e1dov\u011b vy\u0161\u0161\u00ed ne\u017e v b\u011b\u017en\u00e9m provozu.<\/p>\n\n\n\n<p>Blokov\u00e1n\u00ed nebo omezov\u00e1n\u00ed po\u017eadavk\u016f bez User-Agent tedy nen\u00ed \u017e\u00e1dn\u00fd exces. Je to standardn\u00ed pr\u016fmyslov\u00e1 praxe, kterou uplat\u0148uje v\u011bt\u0161ina seri\u00f3zn\u00edch provozovatel\u016f infrastruktury.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Jak k tomu p\u0159istupuje WEDOS Protection<\/h2>\n\n\n\n<p>Na\u0161e ochrana <strong>WEDOS Protection <\/strong>se chov\u00e1 stejn\u011b jako v\u00fd\u0161e zm\u00edn\u011bn\u00e1 \u0159e\u0161en\u00ed. Po\u017eadavky bez User-Agent hlavi\u010dky, p\u0159\u00edpadn\u011b s pr\u00e1zdnou hodnotou, vyhodnocuje jako rizikov\u00fd provoz a blokuje je. Stejn\u00e1 pravidla plat\u00ed i na hostinz\u00edch VEDOS Hosting, kde ochrana b\u011b\u017e\u00ed nad weby z\u00e1kazn\u00edk\u016f.<\/p>\n\n\n\n<p>Nen\u00ed to samo\u00fa\u010deln\u00e9 opat\u0159en\u00ed. Re\u00e1ln\u00e9 \u00fatoky, kter\u00e9 na chr\u00e1n\u011bn\u00e9 infrastruktu\u0159e denn\u011b vid\u00edme, ve v\u00fdznamn\u00e9 m\u00ed\u0159e p\u0159ich\u00e1zej\u00ed pr\u00e1v\u011b bez identifikace klienta. Blokace tohoto provozu odfiltruje zna\u010dnou \u010d\u00e1st automatizovan\u00fdch sken\u016f a \u00fatok\u016f je\u0161t\u011b p\u0159edt\u00edm, ne\u017e se dostanou k aplikaci, a to s prakticky nulov\u00fdm dopadem na legitimn\u00ed n\u00e1v\u0161t\u011bvn\u00edky. B\u011b\u017en\u00fd u\u017eivatel s prohl\u00ed\u017ee\u010dem, vyhled\u00e1vac\u00ed roboty ani korektn\u011b napsan\u00e9 integrace se s t\u00edmto pravidlem nikdy nepotkaj\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Jak m\u00e1 spr\u00e1vn\u00fd User-Agent vypadat<\/h2>\n\n\n\n<p>Pokud provozujete vlastn\u00ed skript, monitoring, integraci nebo bota, doporu\u010dujeme pos\u00edlat User-Agent, kter\u00fd spl\u0148uje t\u0159i jednoduch\u00e9 z\u00e1sady: identifikuje, co jste za\u010d, uv\u00e1d\u00ed verzi a nab\u00edz\u00ed kontakt nebo odkaz, kde se o va\u0161em klientovi d\u00e1 zjistit v\u00edc. Osv\u011bd\u010den\u00fd form\u00e1t vypad\u00e1 takto:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User-Agent: NazevSluzby\/1.0 (+https:\/\/www.example.cz\/bot-info; admin@example.cz)\n<\/code><\/pre>\n\n\n\n<p>V curl to znamen\u00e1 jedin\u00fd p\u0159ep\u00edna\u010d:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -A \"NazevSluzby\/1.0 (+https:\/\/www.example.cz\/bot-info)\" https:\/\/cilova-url.cz\/\n<\/code><\/pre>\n\n\n\n<p>Tento vzor pou\u017e\u00edvaj\u00ed i velc\u00ed hr\u00e1\u010di. Googlebot, monitoring slu\u017eby nebo API klienti renomovan\u00fdch firem se v\u017edy jasn\u011b identifikuj\u00ed a uv\u00e1d\u011bj\u00ed URL s informacemi o sv\u00e9m provozu. Provozovatel serveru si pak m\u016f\u017ee ov\u011b\u0159it, o koho jde, nastavit pro n\u011bj v\u00fdjimky, nebo ho v p\u0159\u00edpad\u011b probl\u00e9m\u016f kontaktovat. Je to z\u00e1kladn\u00ed projev slu\u0161nosti mezi stroji na internetu.<\/p>\n\n\n\n<p><strong>\u010cemu se naopak vyhnout: krat\u0161\u00ed hodnot\u011b ne\u017e \u010dty\u0159i znaky, pr\u00e1zdn\u00e9 hodnot\u011b, samotn\u00e9mu v\u00fdchoz\u00edmu <code>curl\/8.x<\/code> <\/strong>u produk\u010dn\u00edch integrac\u00ed (funguje, ale nic ne\u0159\u00edk\u00e1 o va\u0161\u00ed slu\u017eb\u011b) a pad\u011bl\u00e1n\u00ed User-Agent prohl\u00ed\u017ee\u010de. Vyd\u00e1vat skript za Chrome nebo Firefox je kr\u00e1tkozrak\u00e9, proto\u017ee modern\u00ed ochrany v\u010detn\u011b t\u00e9 na\u0161\u00ed ov\u011b\u0159uj\u00ed konzistenci klienta i jin\u00fdmi metodami a nekonzistentn\u00ed otisk vede k hor\u0161\u00edmu sk\u00f3re, ne lep\u0161\u00edmu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d je lep\u0161\u00ed opravit klienta ne\u017e \u017e\u00e1dat o v\u00fdjimku na IP<\/h2>\n\n\n\n<p>\u010cast\u00e1 prvn\u00ed reakce zn\u00ed: &#8222;Tak mi tu IP adresu prost\u011b povolte.&#8220; Rozum\u00edme tomu, ale je to hor\u0161\u00ed \u0159e\u0161en\u00ed ne\u017e jedno\u0159\u00e1dkov\u00e1 oprava na stran\u011b klienta, a to z n\u011bkolika praktick\u00fdch d\u016fvod\u016f.<\/p>\n\n\n\n<p>V\u00fdjimka na IP oslabuje ochranu. Whitelist typicky neznamen\u00e1 &#8222;pus\u0165 requesty bez User-Agent&#8220;, ale &#8222;na tuto IP neaplikuj kontroly&#8220;. Pokud je zdrojem sd\u00edlen\u00fd server, cloudov\u00e1 instance nebo slu\u017eba t\u0159et\u00ed strany, v\u00fdjimku s v\u00e1mi sd\u00edl\u00ed i v\u0161echno ostatn\u00ed, co z t\u00e9 adresy b\u011b\u017e\u00ed, v\u010detn\u011b p\u0159\u00edpadn\u011b kompromitovan\u00e9ho souseda. A cloudov\u00e9 IP adresy se nav\u00edc recykluj\u00ed: instance zanikne, adresu dostane n\u011bkdo ciz\u00ed a v\u00fdjimka na n\u00ed z\u016fst\u00e1v\u00e1, dokud si na ni n\u011bkdo nevzpomene.<\/p>\n\n\n\n<p>Whitelist je z\u00e1vazek do budoucna, oprava je jednor\u00e1zov\u00e1. IP adresy se m\u011bn\u00ed p\u0159i ka\u017ed\u00e9 migraci, zm\u011bn\u011b poskytovatele, \u0161k\u00e1lov\u00e1n\u00ed nebo p\u0159echodu na IPv6. Monitorovac\u00ed a integra\u010dn\u00ed slu\u017eby dnes nav\u00edc b\u011b\u017en\u011b b\u011b\u017e\u00ed distribuovan\u011b z des\u00edtek adres, kter\u00e9 se pr\u016fb\u011b\u017en\u011b obm\u011b\u0148uj\u00ed. Ka\u017ed\u00e1 takov\u00e1 zm\u011bna znamen\u00e1 nov\u00fd ticket, v\u00fdpadek a \u010dek\u00e1n\u00ed. Spr\u00e1vn\u011b nastaven\u00fd User-Agent naproti tomu cestuje s klientem: nastav\u00edte ho jednou a funguje odkudkoli.<\/p>\n\n\n\n<p>Oprava funguje v\u0161ude, v\u00fdjimka jen u n\u00e1s. V\u00fdjimku na IP v\u00e1m m\u016f\u017eeme z\u0159\u00eddit na na\u0161\u00ed infrastruktu\u0159e, ale stejn\u00fd skript bez User-Agent naraz\u00ed i u Cloudflare, AWS WAF a dal\u0161\u00edch poskytovatel\u016f, kte\u0159\u00ed toto chov\u00e1n\u00ed penalizuj\u00ed \u00fapln\u011b stejn\u011b. Opravou klienta vy\u0159e\u0161\u00edte probl\u00e9m glob\u00e1ln\u011b, whitelistem jen lok\u00e1ln\u011b a do\u010dasn\u011b.<\/p>\n\n\n\n<p>A nakonec ten nejjednodu\u0161\u0161\u00ed argument: pom\u011br \u00fasil\u00ed. V\u00fdjimka znamen\u00e1 komunikaci, evidenci, \u00fadr\u017ebu a trval\u00e9 bezpe\u010dnostn\u00ed riziko. Oprava znamen\u00e1 jeden p\u0159ep\u00edna\u010d v curl nebo jeden \u0159\u00e1dek v konfiguraci knihovny. Nen\u00ed moc situac\u00ed, kde je spr\u00e1vn\u00e9 \u0159e\u0161en\u00ed z\u00e1rove\u0148 to v\u00fdrazn\u011b levn\u011bj\u0161\u00ed, tady ano.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Shrnut\u00ed<\/h2>\n\n\n\n<p>User-Agent je hlavi\u010dka doporu\u010den\u00e1 p\u0159\u00edmo HTTP standardem (RFC 9110), kterou v\u0161echny b\u011b\u017en\u00e9 klienty pos\u00edlaj\u00ed automaticky. Jej\u00ed absence je spolehliv\u00fdm sign\u00e1lem z\u00e1m\u011brn\u011b upraven\u00e9ho, typicky automatizovan\u00e9ho a \u010dasto \u0161kodliv\u00e9ho klienta, a proto ji ochrany typu OWASP CRS, Cloudflare, AWS WAF i <strong>WEDOS Protection<\/strong> penalizuj\u00ed nebo blokuj\u00ed. <strong>\u0158e\u0161en\u00ed je trivi\u00e1ln\u00ed: identifikujte se<\/strong>. Jeden p\u0159ep\u00edna\u010d v curl nebo jeden \u0159\u00e1dek v konfiguraci va\u0161\u00ed knihovny a v\u00e1\u0161 provoz p\u0159estane vypadat jako \u00fatok.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ob\u010das se na n\u00e1s obrac\u00ed z\u00e1kazn\u00edci s dotazem, pro\u010d jejich skript, monitoring nebo integrace najednou dost\u00e1v\u00e1 odpov\u011b\u010f 401, zat\u00edmco stejn\u00e1 URL v prohl\u00ed\u017ee\u010di funguje bez probl\u00e9m\u016f. Ve velk\u00e9 \u010d\u00e1sti p\u0159\u00edpad\u016f je odpov\u011b\u010f p\u0159ekvapiv\u011b jednoduch\u00e1: po\u017eadavek p\u0159ich\u00e1z\u00ed bez hlavi\u010dky User-Agent, nebo s pr\u00e1zdnou hodnotou. A to je z pohledu modern\u00ed webov\u00e9 bezpe\u010dnosti probl\u00e9m. Poj\u010fme si vysv\u011btlit &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.wedos.com\/cs\/proc-je-curl-bez-user-agent-problem\" class=\"more-link\">Pokra\u010dovat ve \u010dten\u00ed<span class=\"screen-reader-text\"> &#8222;Pro\u010d je CURL bez User-Agent probl\u00e9m?&#8220;<\/span><\/a><\/p>\n","protected":false},"author":16,"featured_media":1734207,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1734203","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-spolecnost"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1734203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=1734203"}],"version-history":[{"count":6,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1734203\/revisions"}],"predecessor-version":[{"id":1736024,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1734203\/revisions\/1736024"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/1734207"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=1734203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=1734203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=1734203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}