0

How can we know whether our server is giving 403 forbidden error perfectly or not? I want to know because I used a code for .htaccess file which is used to block referrer websites and spam bots.

 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_REFERER} domain1\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} domain2\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} domain3\.com [NC]
 RewriteRule ^(.*)$ - [F,L]
 </IfModule>

I blocked a website using that code but when I visit that website and click on my website link, my website opens fine to me. Shouldn't I receive a 403 forbidden page as the referrer website is listed in .htaccess file?

How can I check whether my website supports 403 forbidden page or not? Is the code correct?

TSA
  • 157
  • 2
  • 11

2 Answers2

3

but when I visit that website and click on my website link, my website opens fine to me. Shouldn't I receive a 403 forbidden page as the referrer website is listed in .htaccess file?

For a normal link, under normal conditions, yes. You would expect the request to be blocked. However, blocking using the Referer (HTTP request header) is unreliable.

  • The user's browser can be configured to not send the Referer header.
  • The anchor/link on the source site can be constructed in such a way as to not send the HTTP Referer. In fact, with HTML5, you only need to set the rel="noreferrer" (two r's) attribute on the anchor to prevent the browser from sending the Referer header (part of the Referrer Policy).
  • The Referrer Policy (supported by Chrome and Firefox) allows websites to block all Referer headers on all links coming from a website.

(Note, sometimes it's "Referer" (1 r), sometimes "Referrer" (2 r's).)

Reference:
https://stackoverflow.com/questions/5033300/stop-link-from-sending-referrer-to-destination

MrWhite
  • 11,643
  • 4
  • 25
  • 40
  • 1
    Thanks for the reply. I checked with Chrome extension which helps in customizing the referrer and I got 403 forbidden error page. So it means my website server should properly showing the page to blocked referrers. – TSA Aug 28 '17 at 15:33
2

There are many ways to forge a request. You can use Postman (https://www.getpostman.com/postman) for example, or use a library like curl or request.

In your case, you just have to change the Referer field in the header.

eli0T
  • 120
  • 11
  • Thanks for your reply. Is it possible for a website server to not show 403 forbidden page due to any issue or setting? I just want to make sure that my server is properly showing 403 forbidden page to blocked referrers. – TSA Aug 28 '17 at 13:16
  • 1
    I am not an apache expert, but your code seems correct. I can't see why a webserver couldn't serve 403 if the rules are written accordingly. You can create a simpler rule to forbid only a certain URL, no matter what the referer is, and test it with your browser. – eli0T Aug 28 '17 at 13:23
  • Thanks. I used an extension for Chrome to use custom referrer and when I tried with a blocked referrer value, my website showed 403 forbidden page. – TSA Aug 28 '17 at 13:24