http status checker: https://httpstatus.io/
or
http://tools.seobook.com/server-header-checker/?url=capefearadventures.com&useragent=8&protocol=11
url: capefearadventures.com
Both checkers return 403, but if I pull up the site in any browser it works fine returning 200.
Any ideas why that would be?
I was able to access the firewall logs and the requests from http status checkers were deemed as DDOS22 - DDOS attemps, therefore blocked. I added their IP to whitelist and the request went through just fine returning 200! Thanks for the pointer!
Related
I am able to bypass 403 page using OPTIONS request method and getting 200 OK response.
The page is an assets/css folder.
Is it a bug or not that I can report to website? Please help
It depends what you mean by "bypass", and whether you are able unexpectedly extract any sensitive information (that should have been protected by authorization) via the OPTIONS request.
In general, it is normal to render a 2XX response to a preflight (OPTIONS) request if the page in question is marked as allowed for cross-origin access. See also answers in: Response for preflight 403 forbidden.
The principal difference here is that if you get an error response for OPTIONS, a cross-origin request from the browser wouldn't even be able to find out that 403; it wouldn't even be performed if the preflight failed.
TL;DR most probably not a bug, working as intended.
I'd like to raise HTTP404 Not Found through WAF(Web Application Firewall) when URL has trailing /, for example www.cde.org/aabb/
I'm following this article, however I can't figure out if/how it can be done.
You can define a custom response status code and response message when
a request is blocked by WAF. The following custom status codes are
supported:
200 OK 403 Forbidden 405 Method not allowed 406 Not acceptable 429 Too
many requests
Does that mean that it's impossible to return 404 by WAF?
Yes, it's impossible by WAF. From WAF response for blocked requests
You can define a custom response status code and response message when
a request is blocked by WAF. The following custom status codes are
supported:
200 OK 403 Forbidden 405 Method not allowed 406 Not acceptable 429 Too
many requests Custom response status code and response message is a
policy level setting. Once it is configured, all blocked requests get
the same custom response status and response message.
So you could set it in your backend web.config file like this.
Please help me in understanding why we get found 302 status. I googled and get to know that this is something to do with redirect. I have two web applications IIS servers and they configured for round robin DNS.
If I check it from fiddler sometimes I get status 302 instead of status 200, This does not happen every time I visit my website. Because of this HP site scope triggering alerts.
I am new to this error, Please Help me.
Disclaimer: not sure if this is SO material. If not, please move it to the appropriate place.
I'm trying to build a web proxy, and I'm unsure what to return to the browser, if the DNS lookup failed (ie. if the domain does not exist). Is there a HTTP status code for this? I tried looking in the Network tab in Chrome, but there's no response for a failed DNS lookup.
There wouldn't be an HTTP code for it, since by definition an HTTP request couldn't be done in the first place is the server's IP couldn't be resolved. Probably the easiest-to-use-instead would be 404 - "not found" or 404.1 - "site not found" if you have IIS 7.0+.
Referencing #Dark Falcon's comment and mysterious withdrawal from the question
"Most I have seen return 502 Bad Gateway or 504 Gateway Timeout"
Does the browser make a new request to the location given in the header?
I ask because I was playing around with Fiddler and noticed when I make a request to a page that returns a 302 HTTP code, there are two entries in the network log. The first is to the initial URL, and the second is to the new location given in the response header of the first request.
I'm just curious if web browsers work the same way, but just hide the first response from the user.
Yes, the browser works in very much similar fashion. You can try requesting a url in Chrome, possibly the one you tried in Fiddler. The Network Log of chrome would show you two requests.
The RFC description of HTTP status code can be read over here,
Quoting from there only, regarding the 302 status code:
RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client.
When a server responds with a 302 status code, it send back the newer url (to which the current requested old url is to be redirected) to the requesting user-agent (likely a browser). Now, as per the RFC document, the user agent must not request the newer url for 302 status code. Yet most of them do make a second request.
Hope-this-helps.