4

In some of our systems we have a blocklist of IP address which stops certain IP's viewing the website. Currently the PHP just issues text saying your ip address has been blocked blah blah blah.

HOWEVER

I have come across the HTTP Error Code 403 and to be more exact error code 403.6 (http://en.wikipedia.org/wiki/HTTP_403) which I think would be better than just text.

But i read somewhere that the .6 is only for windows or something along those lines??

Can I send a 403.6 header through PHP from my LAMP servers and would this be better practice than just sending "you've been blocked text"?

hozza
  • 619
  • 2
  • 12
  • 27
  • Why not just tell the requester "YOU'VE BEEN BLOCKED DUE TO IP"? Most don't have a clue about what a 403 means, much less a 403.6. I guess I'll be interested to see what others have to say. :) – Jared Farrish Apr 17 '11 at 23:08
  • It does display simple text ATM and not a 403.6, however it is manly harvesting/spam servers that get blocked not humans so surly a proper error would be better? – hozza Apr 17 '11 at 23:12
  • 2
    So then why not just report 403? – Jared Farrish Apr 17 '11 at 23:15
  • Surly a more exact error is better – hozza Apr 17 '11 at 23:31
  • Maybe, for analytics you could tell what was happening. If your main concern is cold-shouldering the dregs of the intertubes, and you're worried about the random false-positive, then I guess you could be in a quandary. – Jared Farrish Apr 17 '11 at 23:35

5 Answers5

9

Send a simple 403 as it's the correct code for forbidden and then send a custom textual message so your users understand what's going on.

Sample php code bellow.

<?php
header("HTTP/1.0 403 Forbidden");
?>

<h1>Access Forbidden!</h1>

You have been banned from seeing our site because xx and you will
xx etc ...
Williams
  • 4,044
  • 1
  • 37
  • 53
Frankie
  • 24,627
  • 10
  • 79
  • 121
4

If certain IP addresses have been blocked because they are blacklisted, then it is allright to return a simple 404 "Not Found" HTTP status, especially for addresses that have been marked as 'malicious'.

Don't give them any information they can use. Just say 'nothing to see here' instead of 'here is something you are not allowed to see'.

In any case, always try to provide information on a need-to-know basis.

PatrickVDV
  • 41
  • 1
  • 1
    Another option for malicious requests is to send 500 "server busy" after delaying for several seconds or 200 with junk responses. – Michael Khalili Jan 09 '14 at 09:03
1

According to the way HTTP was defined, in true standard way your server should respond with a custom 4xx HTTP status code. Many unused status codes in the 4xx range are available for your use.

And a list of already in use status codes can be found here.

Edit:

You should use both status code and message, but one unrelated to the ones already defined. As an example you could use:

455 Your access has been blocked for excessive crawling
mhitza
  • 5,709
  • 2
  • 29
  • 52
  • Ok so you think I should use a error code instead of text but I dont understand weather i should use 403 or 403.6? – hozza Apr 17 '11 at 23:15
  • 3
    are you suggesting to pick a random 4xx status code and define that as "sorry, I don't like your IP"? How would the client know what your custom status code means? – BlueEel Apr 17 '11 at 23:19
  • 1
    @BlueEel status code ranges predefine an expected behavior, 4xx <- client error. HTTP was built with user extensions in mind. – mhitza Apr 17 '11 at 23:22
0

You could have a .htaccess file setup on your Apache server to block the IP addresses which can include all your blocked IP ranges in a rule. The error message for the 403 message (which is displayed for blocked connections) can also be customized with the .htaccess file.

Rasika
  • 1,980
  • 13
  • 19
  • In that case you can use a HTTP header of 403 and display your customized error message on the page (using PHP). – Rasika Apr 17 '11 at 23:25
  • ok cheers this is what other people have said, however surly a more exact error code would be better **if** it is posible – hozza Apr 17 '11 at 23:32
0

I don't think there is any point in returning a 403.6 over a plain 403 if you are going to slam the door in the user's face like that.

The other option, sending a 200 instead with an appropriate message is preferable if, in the interest of user-friendliness, you want to notify the user of what has happened (possibly provide some contact information for those who believe they are being blocked erroneously etc).

Choosing between the "slam the door" approach (which is technically more correct) and the "friendly" approach (which is better for your human users) is your call.

Jon
  • 428,835
  • 81
  • 738
  • 806
  • 4
    It doesn't have to be one or the other. You can return an "error page" just fine while issuing a 403. – deceze Apr 17 '11 at 23:18
  • Wow, thank you Jon. As we only block servers and not humans I feel the error code will be more suiting. **BUT** _can_ a 403.6 be sent or is this only available from a windows server and is the 403.6 accepted across all major browsers? – hozza Apr 17 '11 at 23:20
  • @deceze: I thought of that too and made a small experiment before answering. FF 4 and Chrome 11 displayed my "sorry" page fine (about 15 bytes of content or so), IE 9 did not (displayed the friendly error page instead). So I opted to not bring that up. – Jon Apr 17 '11 at 23:26
  • @hozza: What do you care about browsers if you are blocking servers and not users? Or did I misunderstand you? – Jon Apr 17 '11 at 23:27
  • @Jon good question, I care about browsers just on the off chance that a user does accidentally get blocked. – hozza Apr 17 '11 at 23:28
  • 3
    AFAIK very short error pages may be replaced by "browser friendly pages", since they're assumed to only contain the status code text. If you make a full fledged error page, it should show up just fine. – deceze Apr 17 '11 at 23:36
  • 1
    Yes, many browsers like IE do that, so generally what people do is just pad their error page content with some HTML comments etc. Like ... I think a couple of KB is enough. Google will probably tell you. (ps, i know i'm late to the party, this is for posterity though) – XP84 Oct 05 '12 at 22:18