Mobile app version of vmapp.org
Login or Join
Ogunnowo487

: Htaccess, deny any request not coming from a form in the website I'm not an .htaccess expert, so I beg your pardon for the basic question. In a website I'm working on there's a form. The

@Ogunnowo487

Posted in: #Htaccess

I'm not an .htaccess expert, so I beg your pardon for the basic question.

In a website I'm working on there's a form. The action URL of the form is a file placed in the root of the website.

I want to deny the direct access to this file (from the address bar of the browser, CURL and/or any other way I can't figure out) but the file must still be usable by the form (so the POST request coming from the form must not be blocked).

I tried this extreme approach:

<Files "_mf.php">
Order Allow,Deny
Deny from all
</Files>


What I want to know is if I can exclude any referrer that is not the page where is located the form and if this is a good approach.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Ogunnowo487

1 Comments

Sorted by latest first Latest Oldest Best

 

@Alves908

Just to clarify, there is no full proof way to restrict access in this instance (unless this is all behind some kind of authentication) since it needs to be accessible to your form. All you can do is prevent casual browsing. Anyone that really wants to submit requests to this script can do.


<Files "_mf.php">
Order Allow,Deny
Deny from all
</Files>



The problem with this, as you probably found out, is that it blocks all requests, including POST requests from your form submission. What you could do is wrap this in a <LimitExcept> wrapper, so that it applies only to non-POST requests:

<limitExcept POST>
<Files "_mf.php">
Order Allow,Deny
Deny from all
</Files>
</LimitExcept>


Any GET requests (eg. "from the address bar of the browser") will be blocked (403 Forbidden). As well as any PUT, DELETE, CONNECT, OPTIONS, etc. etc. requests. But POST requests will be allowed through unhindered.

If you want to check the HTTP referer as well, then you could resort to mod_rewrite. For example:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !POST [OR]
RewriteCond %{HTTP_REFERER} !^http://example.com/
RewriteRule ^_mf.php - [F]


Where example.com is your canonical hostname. You could instead specify the exact URL of the referring page (the page that contains your form) if you wish:

RewriteCond %{HTTP_REFERER} !^http://example.com/path/to/file-that-contains-form$


This would need to go near the top of your .htaccess file.

What this says is... for all requests to /_mf.php that are either not POST requests or the HTTP Referer is not your domain then serve a 403 Forbidden.

Note that this comes with caveats. It's possible that the user's browser is not set to send HTTP Referers - your script will not be accessible to those users. (This is rare, but some "power" users might choose to do this.)

Any user with CURL know-how can still fake the request and submit requests to your script without accessing your form. Since they can submit a POST request and fake the HTTP referer.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme