Prevent non-ajax, non-trusted requests

Created on 28 February 2023, almost 2 years ago

Problem/Motivation

We experienced bots spamming our extlink URLs and added a test to verify that header x-requested-with was XMLHttpRequest.

Steps to reproduce

Find an external link on your site, copy the URL and paste in a new browser window. Ideally these should return forbidden if requested directly.

Proposed resolution

See attached patch which we have successfully used to mitigate this.

Remaining tasks

Please review.

User interface changes

API changes

Data model changes

Note, we have applied our patch against the D9 fork of this module (https://git.drupalcode.org/issue/extlink_extra-3137861.git) - but had to select 8.x-1.x-dev as version.

πŸ› Bug report
Status

Needs review

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States msielski

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024