user2848096
Reputation: 13
Allowing only HTTPS POST requests using .htaccess
I'm trying to block all HTTP POST requests in my root folder but allow HTTPS POST. I'm dealing with a huge volume of POST requests which are decimating my server bandwidth, but they are all HTTP. When actual customers come to the website POST actions are required (login, etc) but they are all done on HTTPS pages. Can I weed out the offending requests and allow only HTTPS POST actions? Using the following I'm able to block:
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteRule ^ / [F]
Then tried this to allow HTTPS:
#if https on
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^ / [L]
#else
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteRule ^ / [F]
Which returns a 500 internal server error. Note that legit POST requests do originate in the root so I can't just add a special .htaccess in a subfolder which allows POST.
Upvotes: 1
Views: 1491
Answers (1)
anubhava
Reputation: 785631
You can block all HTTP POST requests like this:
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_METHOD} POST
# allow localhost
RewriteCond %{REMOTE_ADDR} !127\.0\.0\.1$
RewriteRule ^ - [F]
Upvotes: 1
Related Questions
- Only Allow POST Requests and Deny all other REQUEST_METHOD using .htaccess
- Remove https (ssl) from certain url only
- Force HTTPS using .htaccess
- regex in .htaccess: force http with optional params, lead the rest to https
- Forcing HTTP to HTTPS causing 404 error
- How to apply an htaccess rule only on https
- redirect from https to http under certain conditions with .htaccess
- Forcing HTTPS for a specific url
- Force https in htaccess
- HTTP to HTTPS using mod_rewrite