I have a sever with Linux and Apache latest version. I noticed that if I send a POST with data to any address on the site this is accepted even if there is not a specific PHP script that can handle it. I think it's normal. But how can I prevent this? I know that some sites (Ebay) complete the post before returning an error (imagine if the post includes a large file, server bandwidth consumption is guaranteed).
How can you prevent a POST from running upstream of a php script or any other script? Do you have to work on the Apache server or in the .htaccess?
You would have to block the request before it reaches PHP. I'm not sure about the header() method, but restricting access from .htaccess seems a safer option.
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .* – [F,L]
I'm not sure but I think your should set your response headers to tell your browser what your end point accepts...
header('Access-Control-Allow-Methods', 'GET, PUT, DELETE, PATCH, OPTIONS'); // just exclude the POST method
I'm just spit balling, I had gotten this from the CORS specifications.If it doesn't work then it's probably because this header has to be in response to an OPTIONS request instead.
If this does work, please tell me.
Related
I finished my Angular project.
In my project I send POST requests with data to PHP files, and then get result from them back to Angular.
Now I want to allow requests only from the origin domain, and deny any request from any othe domain.
I try to use:
header("Access-Control-Allow-Origin: example.com");
but it does not work. And I don't want to use $_SERVER['HTTP_REFFER'] because it can manipulated.
I also tried to use .HTACCESS but I don't know how to implement that. I tried something like that:
order deny, allow
deny from all
allow from mydomain.com
but it does not work.
My project already has the following .HTACCESS file:
RewriteEngine On
# If an existing asset or directory is requested go to it as it is
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f [OR]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d
RewriteRule ^ - [L]
# If the requested resource doesn't exist, use index.html
RewriteRule ^ /index.html
taken from here: https://angular.io/guide/deployment#routed-apps-must-fallback-to-indexhtml
What can I do?
Thanks.
Short answer :
header("Access-Control-Allow-Origin: *");
Is the minimum that should work (on your server side), but you may need to add two additional headers like:
header("Access-Control-Allow-Methods: POST, GET, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");
Like any header() call, be sure to perform those BEFORE any output.
Long answer:
CORS allow, with a relative security, to perform cross origin queries, depending on a pre-flight request OPTIONS to check what's allowed and what's not.
Access-Control-Allow-Origin sets which origins (domains) are allowed. You may want to use only your trusted domains.
Access-Control-Allow-Methods sets which methods are allowed. Usually, a lot of those.
Access-Control-Allow-Headers sets which optional (and customized) headers are allowed. Usually, you want to include any non-standard headers on top of Content-type.
CORS is incredibly well documented here : https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
I have a PHP CMS which has setting section for the webstie. On these settings, it receives script codes automatically and then replaces into templates directly.
The problem is that when the setting section is sent with Ajax for process, on the modsecurity server it blocks the post request with 403 error, because of the existence of script code on request data.
We can solve this issue with the code bellow on htaccess, but it deactivates the mod security which is not make sense:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
If anyone have solution for this issue that I could post the modification script to ajax without request blockage?
Is it possible to put those scripts on data with coding them?
DATA example :
stats: <img id='apfurgvizp' style='cursor:pointer' onclick='window.open("https://logo.samandehi.ir/Verify.aspx?id=539&p=dshwxlapfvl", "Popup","toolbar=no, scrollbars=no, location=no, statusbar=no, menubar=no, resizable=0, width=450, height=630, top=60")' alt='logo-samandehi' src='https://logo.samandehi.ir/logo.aspx?id=539&p=ujyshwlbsiy'/>
ERORR on send Ajax request :
403 Forbidden Error
Server specifications :
Centos 7 Cloud Linux
CSF
CXS
modsecurity
CMS specifications :
pure PHP
OOP
yes, disable entire mod_sec probably doesn't make much sense , but disable the single rule that cause the false-positive alert is.
you can use
<IfModule mod_security.c>
SecRuleRemoveById 1234567
</IfModule>
to disable that particular rule that cause the 403.
It's the very famous browser error. I know it has been discussed a lot but I've noticed is a very generic error so I want to present my problem.
I am making simple requests (get,post) on a server where I have access. My browsers (chrome, firefox) give me Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at url (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'null'). error.
When I use some of (hacking)plugins I get the responses fine.
What I've tried is to add on my back-end (on server):
header('Access-Control-Allow-Origin: *');
in index.php file with no luck. Any other ideas ?
Try adding
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
I have solved this issue.
In your config.php add www pre in your domain.com
exa.
// HTTP
define('HTTP_SERVER', 'http://domain name with www/');
// HTTPS
define('HTTPS_SERVER', 'http://domain name with www/');
Add you htaccess file
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
There are several ways to do this. One way is the javascript way, which requires a callback and one example can be found here: Loading cross domain html page with AJAX
Another way is to utilize PHP's curl functionality. Of course there are many ways to do this, but one method that works well for me is to:
Create a standalone php page (can call it "fetch.php" if you
like) that has 1 job. That job is to make a curl request to a given
URL (your cross-domain url in this case) and echo the data that it
gets from the remote site.
Change the AJAX URL from the cross-domain
URL to the name of file created in previous step.
AJAX then knows
it's making an HTTP request to a location inside its current domain even though it's getting its data from a cross-domain location.
Hope this helps,
Adam
You can whitelist the blocked URL like:
script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'
I tried adding a chrome plugin "Allow-Control-Allow-Origin" after several tries with server side changes. Everything worked fine.
Sometimes when I submit ajax requests I get this error
XMLHttpRequest cannot load http://www.mysite.com/go/submit. Origin http://mysite.com is not allowed by Access-Control-Allow-Origin.
Here are solutions I thought about:
* Add the allow origin rule everywhere?
* Write .htaccess to always redirect to full url
* Use this method http://james.padolsey.com/javascript/cross-domain-requests-with-jquery/
How should I fix this problem?
The same origin policy means you cannot analyze data (json, html, image, etc.) that are coming from another "origin" (domain, port) than yours.
Note that
The term "origin" is defined using the domain name, application layer
protocol, and (in most browsers) port number of the HTML document
running the script
A solution is to set, on the server serving the other data, CORS headers explicitly allowing the access :
Access-Control-Allow-Origin: *
So you must have control of the server serving the data you embed as soon as you're not just displaying them.
A somewhat indirect solution is to let the browser think there is only one origin, by putting on your server a proxy. On apache you don't need .htaccess but mod_proxy. If you want to install such a proxy, you may be interested by this SO question (in fact you'd probably be more interested by the answer which helped me set such a proxy on one of my servers).
If your only problem is people typing mysite.com instead of www.mysite.com and you have only one server, you may simply use .htaccess to rewrite the URL :
RewriteEngine On
RewriteCond %{HTTP_HOST} ^mysite\.com$ [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [L,R=301]
What I'm doing
I'm pulling an image from the database and sending it to the browser with all the proper headers - the image displays fine. I also send an ETag header, using the SHA1 of the image's content as the tag.
The images are getting called semi regularly, so caching is a bit of an issue (won't kill the site, but nice to have).
The Problem
$_SERVER['HTTP_IF_NONE_MATCH'] is not available to me. As far as I can tell, this is because of PHP's "disobey the cache controls" life style. I can't mess with the session cache limiter, because I don't have access. But, even if I did have access, I wouldn't want to touch it: 99% of the site is under WordPress.
The Environment
PHP 4 (don't ask)
Apache 2.2
WordPress
The images live in the database (largeblog), which I can't change.
Any guidance, tip/tricks, etc. would be helpful. I don't have much room to change the environmental/structural stuff.
Cheers.
Have you tried reading HTTP_IF_NONE_MATCH from apache_request_headers()?
If you are running pre-4.3 php, it was called getallheaders() before.
Edit
I now see, in the page I linked, that you may also want to try to put
RewriteEngine on
RewriteRule .* - [E=HTTP_IF_MODIFIED_SINCE:%{HTTP:If-Modified-Since}]
RewriteRule .* - [E=HTTP_IF_NONE_MATCH:%{HTTP:If-None-Match}]
in the appropriate .htaccess file to force Apache to set the PHP $_SERVER[...] variables you're unsuccessfully trying to read.
If PHP is not receiving The If-None-Match match header, there's not much you can do. I don't know what you mean by "PHP's "disobey the cache controls""; PHP generates arbitrary dynamic on-the-fly, it cannot, a priori, know whether what it is to return is cached by the client or not.
Anyway, you should investigate whether the client is in fact SENDING the header. If it is, but it's not reaching PHP, check whether it's reaching Apache. If it's reaching PHP but not Apache, you could always hack some solution with mod-rewrite, like adding the header as query string (not tested!):
RewriteCond %{HTTP_IF_NONE_MATCH} (.+)
RewriteRule ^/get_image.php /get_image.php?if-none-match=%1 [B,QSA]