Only allow the POST method for a specific file in a directory
Solution 1
You could use the Require
directive:
<Directory "/var/www/folder">
<Files "index.php">
Require method POST
</Files>
</Directory>
However, since that's part of the authorization section, you may want to try this instead:
<Directory "/var/www/folder">
<Files "index.php">
<LimitExcept POST>
Order allow,deny
Deny from all
</LimitExcept>
</Files>
</Directory>
Solution 2
If your apache config tricks don't work, you could do it in the index.php itself. At the top of the file add something like thisthis:
<?php
if($_SERVER['REQUEST_METHOD'] != "POST") {
header("HTTP/1.0 403 Forbidden");
print("Forbidden");
exit();
}
Solution 3
The Order
, Allow
and Deny
family of access control directives have been deprecated in favour of mod_authz_host.
This may actually be the reason that you existing config is not working, as any conflicting Require
directives will take precedence of your config (which is still supported by means of mod_access_compat, but these directives will be removed in a future version).
Since you a using the 2.4 family, you should also be using the new style directives. I have tested the below configuration on 2.4.4 and it works as desired:
<Directory "/var/www/folder">
Require all granted
<Files "index.php">
<LimitExcept POST>
Require all denied
</LimitExcept>
</Files>
</Directory>
Jack's observation that you could use the Require method
directive is also correct and arguably a more 2.4-like way of doing this.
Related videos on Youtube
Dave Chen
Updated on September 18, 2022Comments
-
Dave Chen over 1 year
I have one file that should only be accessible via the POST method.
/var/www/folder/index.php
The document root is
/var/www/
andindex.php
is nested inside a folder.Version of Apache is: 2.4.4.
My configurations are as follows:<Directory "/var/www/folder"> <Files "index.php"> order deny,allow Allow from all <LimitExcept POST> Deny from all </LimitExcept> </Files> </Directory>
I visit my server at
127.0.0.1/folder
but I can GET and POST the file just like normal.I've also tried reversing the order,
order allow,deny
, require, limitexcept and limit.How can I only allow POST requests to be processed by one file in a folder?
-
Dave Chen over 10 yearsCan you provide an example of where this might be insecure?
-
Dave Chen over 10 yearsSorry, I would prefer to do this at this at the apache level. If this were a PHP issue, I'd post this on StackOverflow :)
-
Dr I over 10 yearsHI Dave, Indeed, this solution completely fit your needs and it is secure unless you're using it on random/variable directories. for example: A regex looking for a specific directory or a not too variable one, will be able to do the job correctly. Now lets states that you wanna do this filtering works on a really variable format of directory (on API randomly ;-) ) then you'll have to deal with a potentially large amount of possibility which can lead to a none expected result. I mean, are you sure that your regex will be catching every possible URI ? Are you sure that it will evolve?