False Positives with PL4 rule 920274 (msg: Invalid character in request headers (outside of very strict set))

Description

I have a lot of false positives with PL4 rule 920274 (I know it’s PL4!) The rule’s message is: Invalid character in request headers (outside of very strict set)

• Comment, what characters are allowed
• Link to rule

Audit Logs / Triggered Rule Numbers

Although it is a PL4 rule, in my opinion it is far too strict and I would like to relax it.

Rule violations I often see:

• Sec-CH-UA: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-CH-UA. Hint: REQUEST_HEADERS:Sec-CH-UA-Mobile is already excluded from this rule.
• REQUEST_HEADERS:from=googlebot(at)googlebot.com
• REQUEST_HEADERS:x-authenticated-user=someone@somewhere.xy
• REQUEST_HEADERS:via=1.1 172.x.y.z (McAfee Web Gateway 10.2.3.38089) or other versions
• REQUEST_HEADERS:x-user-identity=name@somedomain.xy - Exchange autodiscover requests
• REQUEST_HEADERS:x-anchormailbox=name@somedomain.xy - Exchange autodiscover requests
• REQUEST_HEADERS:from=bingbot(at)microsoft.com - bingbot indexing

I would like to do the following two changes to the rule:

1. Add an exclusion for Sec-CH-UA like we already have for Sec-CH-UA-Mobile
2. Add the brackets ( and ) and maybe the @ to the list of allowed characters

What do you think. Is it worth improving a PL4 rule? I would say yes, because I think we should always allow compliant requests, even at PL4.