Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.htaccess configuration #14

Open
danielbachhuber opened this issue Sep 19, 2017 · 1 comment
Open

.htaccess configuration #14

danielbachhuber opened this issue Sep 19, 2017 · 1 comment

Comments

@danielbachhuber
Copy link
Collaborator

Because the .htaccess file is a part of many hosts' web server configuration, we should have some recommended dos and don'ts.

For instance, to prevent situations like this (not to call SiteGround out):

Found the source. In our case, Siteground had put the following block in our .htaccess file

# Block Request Method #
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|options|put|trace|track) [NC]
RewriteRule .* - [F]

This was the root cause of the issue. I hadn't had the opportunity to attempt anything to prove the case, but I assume the DELETE and OPTIONS methods would have also failed.

Even better would be some form of automated checker :)

From WordPress/gutenberg#2704 (comment)
@jadonn
Copy link
Contributor

jadonn commented Sep 19, 2017

This kind of problem crops up with ModSecurity, too. It probably would be worthwhile to factor that in when checking for blocks on the request method. Folks used to think restricting the HTTP methods your server can do makes the server more secure. There might be something to some of that for some methods, but I think the "standard" ModSecurity config only allows GET, POST, OPTIONS, and HEAD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danielbachhuber @jadonn