Security Apache Mod Rewrite Http Referer

How to Block User Access to Servlet Pages Using HTTP_REFERER in Apache

As web applications grow, so does the need to secure sensitive pages and protect them from unauthorized access, especially from automated bots. If you find yourself in a situation where you need to block users from accessing certain servlet pages directly, but you lack the ability to modify the application server, then using Apache’s HTTP_REFERER header can be part of your solution.

In this post, we will explore how to effectively block access using HTTP_REFERER in your .htaccess file, breaking down the steps and providing clear examples to help you achieve your goal.

Understanding the HTTP_REFERER

The HTTP_REFERER is an HTTP header that identifies the address of the webpage that linked to the resource being requested. Simply put, it tells your server where a user came from before accessing a specific page.

Why Use HTTP_REFERER for Blocking Access?

  1. Security Measure: While not foolproof, it serves as an initial barrier against unauthorized access.
  2. Ease of Implementation: If you have control over the web server but not the application logic, this is a practical approach.
  3. Preventing Automated Requests: Blocking direct requests from external sources or bots is crucial if you want to keep your forms secure and functional only through legitimate means.

Setting Up the .htaccess Rewrite Rules

To implement blocking based on the HTTP_REFERER, you will need to add rules to your .htaccess file. Here’s how you can structure your rules effectively.

Basic Rewrite Rule

You might start with a simple rule like this:

RewriteEngine on 

RewriteCond %{HTTP_REFERER} !^http://mywebaddress(.cl)?/.* [NC]
RewriteRule (servlet1|servlet2)/.+ - [F]

Explanation:

  • RewriteEngine on: Enables the rewrite engine.
  • RewriteCond checks if the HTTP_REFERER does not match your specified site.
  • RewriteRule targets requests to servlet1 or servlet2.

Enhanced Rewrite Rule

However, if you want to refine your checks to allow only legitimate requests that come from your site and to block those with query strings, you need a more complex logic:

RewriteCond %{HTTP_REFERER} !^http://mywebaddress(.cl)?/.* [NC]
RewriteCond %{QUERY_STRING} ^.+$ [OR]
RewriteCond %{REQUEST_METHOD} ^POST$ [OR]
RewriteCond %{PATH_INFO} ^.+$
RewriteRule (servlet1|servlet2)\b - [F]

Breakdown of the Enhanced Rule:

  • First Condition: Verifies that requests are not coming from specified site URLs.
  • Second Condition: Blocks requests with non-empty query strings.
  • Third Condition: Blocks POST requests directly.
  • Fourth Condition: Blocks requests with PATH_INFO.

The combination of these conditions ensures that only valid requests that navigate through your site’s environment can reach the specified servlet pages.

Conclusion

While relying on HTTP_REFERER may not provide bulletproof security, it’s an effective initial measure to restrict access to sensitive pages. This method is particularly useful when application-level constraints do not allow for comprehensive changes.

As a reminder, this approach adds a layer of security, but it is not a complete solution. Always consider bolstering server-side validation and explore additional security measures as your application and its user base grow.

If you’ve tried these methods or have additional insights, please leave a comment—your experiences can help others tackle similar challenges!