unexpected token at 'alihack<%eval request("alihack.com")%>
...it can be blocked in your nginx config.
The following snippet can be placed inside the server block and returns a '400 Bad Request' with a text message in the body.
A big assumption here is that your app is not using json - it blocks all JSON PUT requests. This could be refined to check for third header that your own app sets, if that is a problem.
You could change this to a redirect or a json response if you want (commented out below).
# ali.txt attempt on any URLif ($content_type = "application/json") { set $ali_txt JSON; } if ($request_method = PUT) { set $ali_txt "${ali_txt}_PUT"; } if ($ali_txt = JSON_PUT) { return 400 "Bad request - ignoring"; # return 444; # return 301 http://www.example.com/some-page}
5 comments:
Hi! Wouldn't this code block *all* JSON put attempts? If so, this may break legit asynchronous calls.
Doesn't this come with a fairly huge caveat? Looks like it would break all PUT JSON requests, good or bad. If so, it could mess up your APIs, especially since your Rails-level tests would pass but nginx would deny those requests.
You are both right - I have updated the post. Thanks.
we did this:
location /ali.txt {
if ($request_method = PUT ) {
return 400 "Bad request - ignoring";
}
}
we did this:
location /ali.txt {
if ($request_method = PUT ) {
return 400 "Bad request - ignoring";
}
}
Post a Comment