You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by ra...@madhaus.utcs.utoronto.ca on 1996/05/01 02:51:02 UTC
Restricting POST access from external forms?
Is there any way to restrict a POST method request if the originating
form is not local? As far as I can tell, there isn't, but I could
have missed something. Checking HTTP_REFERER in a CGI script will do the
trick, but it would be nice to add a configuration directive for this.
-Rasmus
Re: Restricting POST access from external forms?
Posted by ra...@madhaus.utcs.utoronto.ca.
> Is there any way to restrict a POST method request if the originating
> form is not local? As far as I can tell, there isn't, but I could
> have missed something. Checking HTTP_REFERER in a CGI script will do the
> trick, but it would be nice to add a configuration directive for this.
Ugh! Yes, I am replying to my own stupid question. Too much coding, not
enough sleep.
This obviously can't be done by the server. Some sort of cookie mechanism,
or an intelligent one-time password scheme passed from page to page might
do the trick. The question being, "How do you stop someone from sending
fake POST data to a CGI?" It would be nice if one could trust hidden
form fields to not have been tampered with by the client. Best way is
probably the one-time password/checksum idea. Regardless, it's not an
Apache issue.
-Rasmus