fix(default-config): must-accept-rule on browsers only (#1350)

TIL docker clients don't include the Accept header all the time. I would
have thought they did that. Oops.

Closes: #1346

Signed-off-by: Xe Iaso <me@xeiaso.net>

data/botPolicies.yaml

@@ -134,7 +134,10 @@ bots:
       adjust: -5
 
   - name: should-have-accept
-    expression: '!("Accept" in headers)'
+    expression:
+      all:
+        - userAgent.contains("Mozilla")
+        - '!("Accept" in headers)'
     action: WEIGH
     weight:
       adjust: 5

data/meta/default-config.yaml

@@ -118,7 +118,10 @@
     adjust: -5
 
 - name: should-have-accept
-  expression: '!("Accept" in headers)'
+  expression:
+    all:
+      - userAgent.contains("Mozilla")
+      - '!("Accept" in headers)'
   action: WEIGH
   weight:
     adjust: 5

docs/docs/CHANGELOG.md

@@ -27,6 +27,7 @@ Anubis is back and better than ever! Lots of minor fixes with some big ones inte
 - Add support to simple Valkey/Redis cluster mode
 - Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. ([1283](https://github.com/TecharoHQ/anubis/pull/1283))
 - Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
+- Refine the check that ensures the presence of the Accept header to avoid breaking docker clients.
 
 ### Dataset poisoning