How to Check 403 Forbidden Error Page?
How can we know whether our server is giving 403 forbidden error perfectly or not? I want to know because I used a code for .htaccess file which is used to block referrer websites and spam bots.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} domain1\.com [NC,OR]
RewriteCond %{HTTP_REFERER} domain2\.com [NC,OR]
RewriteCond %{HTTP_REFERER} domain3\.com [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
I blocked a website using that code but when I visit that website and click on my website link, my website opens fine to me. Shouldn't I receive a 403 forbidden page as the referrer website is listed in .htaccess file?
How can I check whether my website supports 403 forbidden page or not? Is the code correct?
Solution 1:
There are many ways to forge a request. You can use Postman (https://www.getpostman.com/postman) for example, or use a library like curl or request.
In your case, you just have to change the Referer field in the header.
Solution 2:
but when I visit that website and click on my website link, my website opens fine to me. Shouldn't I receive a 403 forbidden page as the referrer website is listed in
.htaccessfile?
For a normal link, under normal conditions, yes. You would expect the request to be blocked. However, blocking using the Referer (HTTP request header) is unreliable.
- The user's browser can be configured to not send the
Refererheader. - The anchor/link on the source site can be constructed in such a way as to not send the HTTP
Referer. In fact, with HTML5, you only need to set therel="noreferrer"(two r's) attribute on the anchor to prevent the browser from sending theRefererheader (part of the Referrer Policy). - The Referrer Policy (supported by Chrome and Firefox) allows websites to block all
Refererheaders on all links coming from a website.
(Note, sometimes it's "Referer" (1 r), sometimes "Referrer" (2 r's).)
Reference:
https://stackoverflow.com/questions/5033300/stop-link-from-sending-referrer-to-destination