RewriteCond HTTP_REFERER to allow own site as url parameters and block other url

2 Views

I want to receive own site’s url as $_GET parameter in few of my pages but don’t want any other url to pass as $_GET parameter on any webpages. For this the .htaccess code with few other measures mentioned here.: 

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp:  [NC,OR]
RewriteCond %{QUERY_STRING} http:  [NC,OR]
RewriteCond %{QUERY_STRING} https:  [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|ê|"|;|?|*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteCond %{HTTP_REFERER} !^http://maps.googleapis.com(.*)$
RewriteCond %{HTTP_REFERER} !^http://mysite.com(.*)$
RewriteRule ^(.*)$ - [F,L]

</IfModule>

Even after adding

Read More
RewriteCond %{HTTP_REFERER} !^http://mysite.com(.*)$

at the 3rd line from end, if I try to pass any url of my website as GET parameter in any of my webpages like including http (ex: 'http://mysite.com'), it returns 403 error.

Here is the way I am trying to access my site’s url as GET parameter:

'http://mysite.com/abc_page?url=http://mysite.com/efg_page'

Please point me what I am doing wrong with the above code. The code was actually added by Word Press Better Security Plugin and I added RewriteCond %{HTTP_REFERER} !^http://mysite.com(.*)$ to allow url of my own website.

” added before .com because stackoverflow does not allow to use mysite.com name to place inside body.

Post Views: 2

Related posts

Leave a Reply