Block anauthorized form posts

Forum Moderators: phranque

Message Too Old, No Replies

Block anauthorized form posts

ergec

5:35 pm on Feb 26, 2004 (gmt 0)

How can i block (forbidden message for example) external (anauthorized) form posts from other domains(GET or POST method) except my domain

I wrote something but it doesn't work

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.example.com/.*$ [NC]
RewriteCond %{REQUEST_METHOD}!^(GETŚHEADŚPOST) [NC,OR]
RewriteRule .* - [F]

[edited by: jdMorgan at 4:19 pm (utc) on Feb. 27, 2004]
[edit reason] Examplified URLs [/edit]

lemat

8:02 pm on Feb 26, 2004 (gmt 0)

Try:

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://(www\.)?example\.com/ [NC]
RewriteCond %{REQUEST_METHOD} ^POST [NC]
RewriteRule .* - [F]

I belive that blocking GET and HEAD requests that came without your referer is not what you want to do.

And also notify that .*$ or ^.* patterns make no sense.

[edited by: jdMorgan at 4:20 pm (utc) on Feb. 27, 2004]
[edit reason] Examplified URLs [/edit]

ergec

7:14 am on Feb 27, 2004 (gmt 0)

No lemat code doesnt't work. Did you test it? If it works on your server that means there is some problems at my server.

lemat

7:30 am on Feb 27, 2004 (gmt 0)

It works for me.

if you put it in .htaccess file make sure the file is readable by apache and apache can use this file:

directives
Options
AllowOverride
in httpd.conf

also make sure you have mod_rewrite loaded and look into server logs -> error_log.

ergec

2:28 pm on Feb 27, 2004 (gmt 0)

Hey i did it. Problem was, there should be a silly space right after {HTTP_REFERER} and there shouldn't be backslashes "\" before "." . This one works fine on my server. I think it depends on server configuration. Peh ;). Thanks a lot Lemat.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)example.com/ [NC]
RewriteCond %{REQUEST_METHOD} ^POST [NC]
RewriteRule .* - [F]

[edited by: jdMorgan at 4:22 pm (utc) on Feb. 27, 2004]
[edit reason] Examplified URL, added double space [/edit]

ergec

2:31 pm on Feb 27, 2004 (gmt 0)

Hey forum did'n put space after {HTTP_REFERER}. I was tearing my hair out for 2 days for Nothing. :( :(

jdMorgan

4:18 pm on Feb 27, 2004 (gmt 0)

> and there shouldn't be backslashes "\" before "."

Yes, there *should* be backslashes preceding any literal periods in your patterns.

Ref: [etext.lib.virginia.edu...]

Also, the meaning of (www\.)? is that the "www." may or may not be present in the request.
Do not add "/" to the end of your domain name; A port number, if added by a firewall or caching proxy, will go there, e.g. www.example.com:80/


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{REQUEST_METHOD} ^POST$ [NC]
RewriteRule .* - [F]

Jim

ergec

6:35 am on Feb 28, 2004 (gmt 0)

Thanks Jim, you are right.

Thanks to all

Ergec

spyder

1:32 pm on Feb 29, 2004 (gmt 0)

@jdMorgan

I can guess, why the forum software swallows the space before the exclamation mark, as many people tend to inadvertently write You did it ! instead of (correctly) You did it!.

But: would it be possible to turn off this behaviour inside [code][/code]? This could save a lot of the hassle observed in this thread. The same happened to me before, although I recognized it and was able to correct my post.

claus

2:35 pm on Feb 29, 2004 (gmt 0)

I always tend to have the domain-validation inside the script said form calls - if you check for valid arguments anyway you might as well check the referrer field also.

Disallowing POST from other domains in general is okay if all your forms must work that way, but you should have measures that will prevent them from just doing a GET on the form script(s) in stead to get the result.