3

I'm setting up a server for a school project, and want to block POST requests from origins outside my domain and its subdomains.

I tried to neglect the localhost IP, the page from which the POST comes and the subdomain, but none worked (a 403 access denied error is always thrown).

<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} !/api/auth.php #listing allowed origins
RewriteCond %{REQUEST_URI} !/auth.php
RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteCond %{REMOTE_HOST} !domain.com
RewriteCond %{REMOTE_HOST} !api.domain.com
RewriteCond %{REMOTE_HOST} !www.domain.com
RewriteCond %{REMOTE_HOST} !^(.*)\.domain\.com
RewriteRule .* - [F,L]
</IfModule>

I expect when posting from a URL outside domain.com the request to be blocked with a 403 error, but the actual result is I'm receiving a 403 error also from within domain.com

Charles Madden
  • 31
  • 2
  • "from origins outside my domain and its subdomains" - what exactly do you mean by this? Unless it is actually your _server_ that is making the request (unusual) then _every_ request is from an "origin outside of your domain". Are you instead referring to POST requests made as a result of some activity on your website? – MrWhite May 20 '19 at 22:40
  • "#listing allowed origins" - By testing against `REQUEST_URI` you are "listing allowed _targets_", not "origins"? Bit of an aside, but I would have expected that line-end comment (not supported by Apache) to have triggered a 500 error (invalid flags)? – MrWhite May 20 '19 at 22:44

0 Answers0