On 2026-05-08 02:12, Paul wrote:
Hi Paul, restricting to 127.0.0.1 might actually block your legitimate
users, as the POST request comes from their browser's IP, not the server
itself. For Apache 2.4, the best practice is usually implementing CSRF
tokens in your Perl script or using a Require expr block to check the
HTTP_REFERER to ensure the hit is coming from your specific form URL.
Thank you. I am looking at implementing CSRF. At the moment, a 'Require
ip 127.0.0.1' in an .htaccess file in the cgi directory is functional.
Again tnx and br -- Paul
Envoyé de mon iPad
Le 7 mai 2026 à 19:07, Stormy-SDLU <[email protected]> a écrit :
Looking for best practice, please. A <virtualhost> uses html web
forms that pass data to a perl/cgi script /wherever/cgi-bin on the
same server -- unfortunately outside bad actors try to POST unwanted
data into that script directly.
What is best practice to disallow all access to the cgi-bin except for
the local web form. I have a vague memory of 127.0.0.1 being usable
by apache 2.4.x
Thanks in advance -- Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
