Waaxe.com - Security Site In memory of Ponca Chief Standing Bear
How deny POST in htaccess and others undesired methods
Many attacks are performed using the POST method so it would be necessary to block this method
and only use GET by controlling the parameters and their length, also exits others methods that
you may want to block (delete, head, trace, track). A simple solution using htaccess in an Apache
environment.
<IfModule mod_rewrite.c>
RewriteEngine On
#Others methods :
RewriteCond %{REQUEST_METHOD} ^(delete|head|trace|track) [NC]
RewriteRule .* - [F,L]
RewriteCond %{REQUEST_METHOD} POST
# allow the server to POST to itself
RewriteCond %{REMOTE_ADDR} !127.0.0.1
# allow POST from trusted users
# RewriteCond %{REMOTE_ADDR} !xxx.xxx.xxx.xxx
# (xxx.xxx.xxx.xxx = IP trusted )
# send all other post requests to 403 forbidden
RewriteRule ^ / [F]
</IfModule>
# You dont use POST method in Forms,...
# only use GET method and check the size get parameters.
# If use POST the process dont run corretly
# If youe need post from know IP please use -> RewriteCond %{REMOTE_ADDR} !xxx.xxx.xxx.xxx