|
Blocking HEAD requests in apache
Does anyone know how to block head requests and still let legit connections through. I am sure there is a way in the htaccess file, or if not, using the apache config. Anyone know? Thanks,
ZoiNk |
Why would you block HEAD requests?
Are you being attacked? |
What are you trying to accomplish?
|
Never turn down head.
|
A friend of mine was asking, so I thought I would try and find the answer for him.
Attackers try bruteforcing htaccess password protection, and it shows up as a HEAD request, not a get request. for the password protected area, i want to allow only GET requests. there is multiple attempts by dozens of ip addresses at the same time, so it is hard/not practical to block them or redirect stuff. the attacks come and go, but it would be easier on server resources if would just deny HEAD requests for that directory and not bother to authenicate. ZoiNk |
Quote:
ZoiNk |
So I was right.
Use something like this, this is not PHP but the only way the board will let me post it: PHP Code:
|
drop this in a .htaccess in the directory you want to deny HEAD requests from. Then test to make sure it doesnt deny get/post. It shouldn't tho.
<Limit HEAD> order deny,allow deny from all </Limit> |
<LimitExcept GET POST>
order deny,allow deny from all </LimitExcept> |
| All times are GMT -7. The time now is 09:28 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123