ICAP requests (defined in RFC 3507) are HTTP-like messages used to send content to the ICAP Server for processing.
Basic format:
<ICAP Method> <ICAP URI> ICAP/1.0
ICAP-Headers
Encapsulated-HTTP-Message
EXAMPLE: REQMOD Request:
REQMOD icap://icap.example.net/reqmod ICAP/1.0
Host: icap.example.net
Encapsulated: req-hdr=0, null-body=0
GET / HTTP/1.1
Host: example.com
Key Elements:
Encapsulated: req-hdr=0, req-body=137
Invalid ICAP requests — such as those with malformed structure, unsupported methods, or missing mandatory headers — are rejected by the ICAP server and result in a 400 (Bad Request) response. Ensuring that requests follow the correct format, including a valid request line and properly defined Encapsulated header, is essential for successful processing.
OPTIONS
Sent by the client to discover what methods and capabilities the ICAP server supports.
Example request:
OPTIONS icap://<ICAP-SERVER-HOST>:<ICAP-SERVER-PORT>/OMSScanResp-AV ICAP/1.0
Host: <ICAP-CLIENT-IP>:<ICAP-SERVER-PORT>
Allow: 206
Example response:
ICAP/1.0 200 OK
Methods: REQMOD, RESPMOD, FILEMOD
Service: MetaDefender ICAP Server
ISTag: "<ISTAG-VALUE>"
Max-Connections: 100
Options-TTL: 3600
Allow: 204
Preview: 1024
Transfer-Preview: *
Encapsulated: null-body=0
REQMOD
Used to intercept and scan or modify an outgoing HTTP request, such as a file upload.
Example request:
REQMOD icap://<ICAP-SERVER-HOST>:<ICAP-SERVER-PORT>/virus_scan ICAP/1.0
Host: <ICAP-SERVER-HOST>:<ICAP-SERVER-PORT>
Encapsulated: req-hdr=0, null-body=170
GET / HTTP/1.1
Host: <ORIGIN-SERVER-HOST>
Accept: text/html, text/plain
Accept-Encoding: compress
Cookie: <SESSION-COOKIE>
If-None-Match: "<ETAG-VALUE>"
Example response:
ICAP/1.0 200 OK
ISTag: "<ISTAG-VALUE>"
Date: Tue, 16 Feb 2016 11:51:03 GMT
Service: MetaDefender ICAP Server
X-Violations-Found: 0
Encapsulated: req-hdr=0, null-body=0
GET / HTTP/1.1
Host: <ORIGIN-SERVER-HOST>
Accept: text/html, text/plain
Accept-Encoding: compress
RESPMOD
Used to intercept and scan or modify an HTTP response being returned to the client, such as a file download.
Example request:
RESPMOD icap://<ICAP-SERVER-HOST>:<ICAP-SERVER-PORT>/virus_scan ICAP/1.0
Host: <ICAP-SERVER-HOST>:<ICAP-SERVER-PORT>
Date: Tue, 16 Feb 2016 11:51:03 GMT
Encapsulated: req-hdr=0, res-hdr=618, res-body=831
X-Client-IP: <CLIENT-IP>
GET /eicar.dirty HTTP/1.1
Host: <ORIGIN-SERVER-HOST>
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate, sdch
HTTP/1.1 200 OK
Content-Disposition: attachment; filename="eicar.dirty"
Content-Length: 68
Content-Type: application/octet-stream
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Example response (threat detected):
ICAP/1.0 403 Forbidden
ISTag: "<ISTAG-VALUE>"
Date: Tue, 16 Feb 2016 11:51:04 GMT
Service: MetaDefender ICAP Server
X-Violations-Found: 1
eicar.dirty
EICAR Test String
11101
2
Encapsulated: null-body=0
FILEMOD
A non-standard extension that passes a local file path to the ICAP server for in-place scanning, without streaming the file over the network.
Example request:
FILEMOD icap://<ICAP-SERVER-HOST>:<ICAP-SERVER-PORT>/ ICAP/1.0
Host: <ICAP-SERVER-HOST>:<ICAP-SERVER-PORT>
X-Filepath: <PATH-TO-FILE>
Connection: close
Encapsulated: null-body=0
Example response (threat detected):
ICAP/1.0 403 Forbidden.
ISTag: "<ISTAG-VALUE>"
Date: Thu Nov 12 13:47:25 2020 GMT
Service: MetaDefender ICAP Server
Service-ID: Metascan
X-Violations-Found: 1
<FILENAME>
<THREAT-NAME>
<THREAT-ID>
<SEVERITY>
Encapsulated: null-body=0
Example response (clean file):
ICAP/1.0 204 No modifications needed
ISTag: "<ISTAG-VALUE>"
Date: Thu Nov 12 13:47:25 2020 GMT
Service: MetaDefender ICAP Server
Service-ID: Metascan
Encapsulated: null-body=0