Prevent non-ajax, non-trusted requests

Created on 28 February 2023, over 1 year ago

We experienced bots spamming our extlink URLs and added a test to verify that header x-requested-with was XMLHttpRequest.

Find an external link on your site, copy the URL and paste in a new browser window. Ideally these should return forbidden if requested directly.

See attached patch which we have successfully used to mitigate this.

Please review.

Note, we have applied our patch against the D9 fork of this module (https://git.drupalcode.org/issue/extlink_extra-3137861.git) - but had to select 8.x-1.x-dev as version.

🐛 Bug report

Status

Needs review

Version

1.0

Component

Code

Created by

🇺🇸United States msielski

Live updates comments and jobs are added and updated live.

Comments & Activities

Production build 0.69.0 2024