Bad Behavior 2.2.16 has been released. This is a maintenance release and is recommended for all users.
The following changes have been made since 2.2.15:
viaHTTP header, when present in all lowercase letters, violates a convention that headers should be in mixed case, and the lowercase-only header is commonly seen from malicious proxy servers. However, the actual HTTP specifications do not disallow it, and a check for this lowercase header does block some legitimate traffic. Therefore this version of Bad Behavior has been changed to check for lowercase
viaonly in strict mode. This resolves an issue where web users at certain large companies are blocked; sites expecting these visitors should not enable strict mode.
Just as a reminder, if you use CloudFlare on your site, you must enable the Reverse Proxy option in Bad Behavior’s settings, or many of your visitors and search engines will be blocked.