Home > Net >  How to deny all GET requests made to the index, but allow other routes
How to deny all GET requests made to the index, but allow other routes

Time:12-04

I want to deny GET request when they are made to the root of the website (www.mywebsite.com), without preventing GET request to other routes (www.mywebsite.com/thisroute), how is it possible? I could not find the answer to this specific question.

(part of) My config file:

 location / {

#ALLOW CORS#
                   if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
        

     }

#END OF ALLOW CORS#
                try_files $uri $uri/ =404;
                autoindex on;
                client_max_body_size 20M;
        }

CodePudding user response:

One possible solution is to deny GET requests to the root of the website without preventing GET requests to other routes, you can add a location block for the root route / and use the deny directive to deny access to that location. The location block specifies a particular location to which the directives inside it apply. The deny directive denies access to the specified location.

Here is an example of how you can add a location block for the root route / and use the deny directive to deny GET requests to that location:

# Deny GET requests to the root route
location / {
  if ($request_method = 'GET') {
    deny all;
  }

  # The rest of the location block, including the CORS headers, remains unchanged
  if ($request_method = 'OPTIONS') {
    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
    add_header 'Access-Control-Max-Age' 1728000;
    add_header 'Content-Type' 'text/plain; charset=utf-8';
    add_header 'Content-Length' 0;
    return 204;
  }
  if ($request_method = 'POST') {
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
  }
  if ($request_method = 'GET') {
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
  }

  try_files $uri $uri/ =404;
  autoindex on;
  client_max_body_size 20M;
}

In this example, the location block for the root route / checks the request method, and if it is a GET request, it denies access to that location using the deny directive. All other requests, including GET requests to other routes, are allowed and will be processed by the rest of the location block.

Note that the deny directive must be used with caution, as it can prevent access to the entire website if used incorrectly. It is recommended to use it only for specific routes and to provide an alternative location for handling requests that are denied.

CodePudding user response:

To deny GET requests to the root of the website, you can use the deny directive in the Nginx configuration file.

You can add the following code block to your Nginx config file, within the location / block:

if ($request_method = 'GET') {
  deny all;
}

This will block any GET requests made to the root of the website, while allowing GET requests to other routes.

Note: You may need to adjust the code block to match your specific configuration and requirements.

Check out this article for further info

  • Related