I'm currently looking into the AS7-2429 issue, which covers the implementation of a User Agent and Remote Address filter for the HTTP Management Interface. As stated in the JIRA-issue, I've encapsulated the incoming request and do only call processRequest if the User-Agent is specified in a list of allowed User-Agents. Should we continue with the approach of white-listing User-Agents and remote addresses or using a black-list where we specify which requests to deny? The next question is how to allow configuration for the list of User Agents and Remote Addresses. How should this be done? Through the admin-console, configuration file and/or something else? Also, how do we want to configure the User-Agents and the matching? Should we use regexp pattern matching, string comparision etc? Any feedback is appreciated.