Welcome to WebmasterWorld Guest from 54.224.83.221

Forum Moderators: Ocean10000 & phranque

Blocking POST method

     
1:12 am on Jul 6, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 397
votes: 33


<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://.*example\.com [NC]
RewriteRule .* - [F,L]
</IfModule>

I do block posts unless POST from my site.


- - -

[edited by: keyplyr at 1:41 am (utc) on Jul 6, 2018]
[edit reason] clean-up [/edit]

1:55 am on July 6, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14905
votes: 649


Psst! You don't need the IfModule envelope in this situation. It is sometimes necessary to include it if it's part of CMS boilerplate, but in your own config / htaccess file the envelope is superfluous. Either you've got mod_rewrite or you haven't.

The [L] flag will do no harm, but it isn't needed. All 400-class responses ([F,] [G], [R=404] and so on) carry an implied [L].

If you really want to save the picoseconds, replace .* with . alone. The server doesn't need to read the whole URL; it just needs to verify that there is one. (Kinda pointless here, since if there had been no request, mod_rewrite wouldn't be running in the first place, but there you have it. The syntax of the module requires that there be something at this point in the pattern.)
5:27 am on July 6, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3842
votes: 212


Just a note for those using WordPress - your WP crons use "POST" and don't use a referrer.

The UA is the currently installed version number of WP + your domain name in the UA. It might be easier to allow for your domain IP than continually needing to update the version number, especially with automated updates. Just mention this so some WP person doesn't drop in and copy/paste a cron block.