A service I use has decided to block HTTP requests that do not provide a UserAgent, citing security reasons.
As far as I can tell, the UserAgent is a string without a standard format used primarily for statistics, serving different page versions (eg mobile), and blocking bots. The RFC says it SHOULD (but not MUST) be sent.
Why Shellshock works in useragent string? suggests that a malicious UserAgent could be constructed, but the service is blocking requests without a UserAgent.
Is there a vulnerability around absent UserAgent headers I'm not aware of?