httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Restricting POST access from external forms?
Date Wed, 01 May 1996 13:48:41 GMT
  Is there any way to restrict a POST method request if the originating
  form is not local?

The stateless nature of the HTTP protocol makes restrictions like this
difficult to even specify in a completely clean and secure way --- checking
HTTP_REFERER is about the best you can do, but you should be aware that it
may sometimes be inaccurate, and may very well be absent, at the client's
discretion.  (Always remember that Mallet's favorite web client is telnet).

It would be possible to write a module which does access check based
on the Referer header, and bounces the request if it doesn't like what
it sees; however, given the inherent unreliability of the technique I
don't think it would be a really good idea.

rst

Mime
View raw message