Why would I choose to deny "unknown http headers" at my firewall? We have an application that sends, what else, Microsoft proprietary AJAX http headers. Our customer's firewall is swatting those down. One of our developers is telling us just have the customer disable that setting. Unfortunately I don't have the brand and model of the firewall. Is there the potential for abuse with unknown headers (generally speaking)? Or is this a redundant filter? Why would you use them? Can anyone point me to papers that describe attacks using this kind of header?