I'd like to raise HTTP404 Not Found through WAF(Web Application Firewall) when URL has trailing /, for example www.cde.org/aabb/
I'm following this article, however I can't figure out if/how it can be done.
You can define a custom response status code and response message when
a request is blocked by WAF. The following custom status codes are
supported:
200 OK 403 Forbidden 405 Method not allowed 406 Not acceptable 429 Too
many requests
Does that mean that it's impossible to return 404 by WAF?
Yes, it's impossible by WAF. From WAF response for blocked requests
You can define a custom response status code and response message when
a request is blocked by WAF. The following custom status codes are
supported:
200 OK 403 Forbidden 405 Method not allowed 406 Not acceptable 429 Too
many requests Custom response status code and response message is a
policy level setting. Once it is configured, all blocked requests get
the same custom response status and response message.
So you could set it in your backend web.config file like this.
Related
I am able to bypass 403 page using OPTIONS request method and getting 200 OK response.
The page is an assets/css folder.
Is it a bug or not that I can report to website? Please help
It depends what you mean by "bypass", and whether you are able unexpectedly extract any sensitive information (that should have been protected by authorization) via the OPTIONS request.
In general, it is normal to render a 2XX response to a preflight (OPTIONS) request if the page in question is marked as allowed for cross-origin access. See also answers in: Response for preflight 403 forbidden.
The principal difference here is that if you get an error response for OPTIONS, a cross-origin request from the browser wouldn't even be able to find out that 403; it wouldn't even be performed if the preflight failed.
TL;DR most probably not a bug, working as intended.
Is there a way to log all the request and header information coming to Cloudfront. We have a situation where a site hits Cloudfront and returns http 200. We have one situation where requests generated from a specific source is sending http 400. So we would like to log the full request coming to cloudfront for analysis.
http status checker: https://httpstatus.io/
or
http://tools.seobook.com/server-header-checker/?url=capefearadventures.com&useragent=8&protocol=11
url: capefearadventures.com
Both checkers return 403, but if I pull up the site in any browser it works fine returning 200.
Any ideas why that would be?
I was able to access the firewall logs and the requests from http status checkers were deemed as DDOS22 - DDOS attemps, therefore blocked. I added their IP to whitelist and the request went through just fine returning 200! Thanks for the pointer!
When I make a post request to my node.js backend using axios and I look in my chrome console network tab, I see 2 http requests to the endpoint instead of 1.
The first one has a status code of 200 and a response of GET,HEAD,POST
The second one is the one I was expecting which is a status code of 200 and whatever I set my response to be.
Is it normal to get that 1st response of GET,HEAD,POST as well or am I doing something wrong here?
As you indicated that you're using different hosts (or ports at least), this is a default behaviour of browsers to check, if the CORS protocol is understood.
From MDN:
CORS (Cross-Origin Resource Sharing) is a system, consisting of transmitting HTTP headers, that determines whether browsers block frontend JavaScript code from accessing responses for cross-origin requests.
The same-origin security policy forbids cross-origin access to resources. But CORS gives web servers the ability to say they want to opt into allowing cross-origin access to their resources.
You can find more about CORS and prefligh requests in the MDN docs.
Does the browser make a new request to the location given in the header?
I ask because I was playing around with Fiddler and noticed when I make a request to a page that returns a 302 HTTP code, there are two entries in the network log. The first is to the initial URL, and the second is to the new location given in the response header of the first request.
I'm just curious if web browsers work the same way, but just hide the first response from the user.
Yes, the browser works in very much similar fashion. You can try requesting a url in Chrome, possibly the one you tried in Fiddler. The Network Log of chrome would show you two requests.
The RFC description of HTTP status code can be read over here,
Quoting from there only, regarding the 302 status code:
RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client.
When a server responds with a 302 status code, it send back the newer url (to which the current requested old url is to be redirected) to the requesting user-agent (likely a browser). Now, as per the RFC document, the user agent must not request the newer url for 302 status code. Yet most of them do make a second request.
Hope-this-helps.