Reputation: 630
Send HTTP 403.6 status code
In some of our systems we have a blocklist of IP address which stops certain IP's viewing the website. Currently the PHP just issues text saying your ip address has been blocked blah blah blah.
HOWEVER
I have come across the HTTP Error Code 403 and to be more exact error code 403.6 (http://en.wikipedia.org/wiki/HTTP_403) which I think would be better than just text.
But i read somewhere that the .6 is only for windows or something along those lines??
Can I send a 403.6 header through PHP from my LAMP servers and would this be better practice than just sending "you've been blocked text"?
Upvotes: 4
Views: 8403
Answers (5)
Reputation: 41
If certain IP addresses have been blocked because they are blacklisted, then it is allright to return a simple 404 "Not Found" HTTP status, especially for addresses that have been marked as 'malicious'.
Don't give them any information they can use. Just say 'nothing to see here' instead of 'here is something you are not allowed to see'.
In any case, always try to provide information on a need-to-know basis.
Upvotes: 4
Reputation: 25165
Send a simple 403 as it's the correct code for forbidden and then send a custom textual message so your users understand what's going on.
Sample php code bellow.
<?php
header("HTTP/1.0 403 Forbidden");
?>
<h1>Access Forbidden!</h1>
You have been banned from seeing our site because xx and you will
xx etc ...
Upvotes: 9
Reputation: 5715
According to the way HTTP was defined, in true standard way your server should respond with a custom 4xx HTTP status code. Many unused status codes in the 4xx range are available for your use.
And a list of already in use status codes can be found here.
Edit:
You should use both status code and message, but one unrelated to the ones already defined. As an example you could use:
455 Your access has been blocked for excessive crawling
Upvotes: 1
Reputation: 437336
I don't think there is any point in returning a 403.6 over a plain 403 if you are going to slam the door in the user's face like that.
The other option, sending a 200 instead with an appropriate message is preferable if, in the interest of user-friendliness, you want to notify the user of what has happened (possibly provide some contact information for those who believe they are being blocked erroneously etc).
Choosing between the "slam the door" approach (which is technically more correct) and the "friendly" approach (which is better for your human users) is your call.
Upvotes: 0
Reputation: 1998
You could have a .htaccess file setup on your Apache server to block the IP addresses which can include all your blocked IP ranges in a rule. The error message for the 403 message (which is displayed for blocked connections) can also be customized with the .htaccess file.
Upvotes: 0
Related Questions
- Emulate a 403 error page
- How to handle HTTP/1.1 403 Forbidden from PHP code
- 403 Error handling
- trigger 403 in php so that it shows the ErrorDocument
- HTTP Error 403 with php curl
- Weird 403 Forbidden error
- HTTP Status Codes in a PHP Application
- How do I resolve this 403 forbidden error
- how to handle a 403 error with PHP
- 403 Forbidden Error