Denying non-local referrers

Tue, 1 Feb 2005

A couple of weeks ago I was trying and not succeeding in blocking external referrers from my CGI directory. I got my sysadmin to enable .htaccess and Mod_Rewrite for that document root, after which I declared success, but actually I never actually tested my rules. (Oops.)

I was trying not to use Mod_Rewrite (since it's fairly heavy), but those rules don't work. So for those of you who wanted to know how to make it work:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://niceperson.org.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.niceperson.org.*$ [NC]
RewriteRule ^(.*)$ $1 [F,L]

Just list all the domains and subdomains that you consider valid referrers for that directory and stick it all in a .htaccess file in the appropriate directory. Test it out by linking to a forbidden page from another site. If it doesn't work, then either one of us typed something wrong or Mod_Rewrite is not enabled for your document root. (In that case, talk to your sysadmin.)

Good luck!

Comments

jlv says:

So will this stop browsers that have referring turned off, like I just did with Firefox, and I think some Internet security programs do (Norton) by default on windows machines? Mildly curious where you are hosting (at home?) that you can get the sys admin to modify the setup like that for you. Hmm it makes it through the previewer, so here goes....

Laurabelle says:

No, it won't stop browsers that don't show a referrer because it gives the benefit of the doubt when there's no referrer. That's the first line of the code (^$, blank match). I don't mind giving the benefit of the doubt, because what I care about right now is blocking referrer spam. If referrer spammers dropped the referrer in order to pass my block, that would be pretty pointless, wouldn't it?

If my code were blocking your browser, you wouldn't see any images on my site (including the background image), and you wouldn't even get to compose a comment at all.

As for where I'm hosting, see Beehost.net. The sysadmin is my ex-boyfriend. :-)

jlv says:

This is spam from a php script

jlv says:

Hmm, I didn't think that would work... I thought for a minute there that this might solve a similar sort of problem I'm dealing with.

Go ahead and delete both of these if you want.

Post a comment











XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

OpenID: If you use OpenID, your comment will be approved automatically and will not be held for moderation.