block cross site post requests

Fix it!!

block cross site post requests

Postby 4e4en » Mon Aug 04, 2008 8:30 am

Hello,

i would like to know, how to block cross site post requests, for now i tried to code it, but code which i wrote, isn't working:

Code: Select all
RewriteCond %{REQUEST_METHOD}  ^POST [NC]
RewriteCond %{HTTP_REFERER}    !%{HTTP_HOST} [NC]
RewriteRule (.*) backend_error.php [L]
4e4en
 
Posts: 1
Joined: Mon Aug 04, 2008 8:27 am

Postby richardk » Wed Aug 06, 2008 3:12 pm

The Referer header is very unreliable an can easily be faked by anyone wanting to submit a form from a different domain.

You can't put variables in the pattern part of RewriteRules or RewriteConds.

You can either hard code the domain name
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^POST$ [NC]
RewriteCond %{HTTP_REFERER} !^(http://(www\.)?example\.com(/.*)?)?$ [NC]
RewriteRule .* /backend_error.php [L]


Or try (this may not work depending on your Apache version)
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^POST$ [NC]
RewriteCond %{HTTP_HOST}/%{HTTP_REFERER} !^www\.([^/]+)/(http://(www\.)?\1(/.*)?)?$ [NC]
RewriteCond %{HTTP_HOST}/%{HTTP_REFERER} !^([^/]+)/(http://(www\.)?\1(/.*)?)?$ [NC]
RewriteRule .* /backend_error.php [L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron