403 forbidden from Riak 1.2.0 when referer header is set
sean at basho.com
Wed Aug 15 09:56:02 EDT 2012
This is intentional -- in 1.2 we added some measures to counteract
cross-site scripting and request-forgery attacks. For your application, it
would be best to have a reverse-proxy remove the Referer header (as long as
the request is a GET to allowed resources, like your images).
On Wed, Aug 15, 2012 at 8:24 AM, Fredrik Lindström <
Fredrik.Lindstrom at qbranch.se> wrote:
> Hi everyone,
> One of the things we use Riak for is to serve images straight to the
> browser (obviously via a firewall etc etc). These images are displayed on
> our webpages so when the browser loads the page it will fire off GET
> requests for the image URLs and for good measure it will include a referer
> header when doing this. This works fine in production since we're still on
> Riak 1.0.2 but our dev and stage clusters have been upgraded to 1.2.0 and
> the story is a bit different there.
> Riak will respond with 403 Forbidden if the referer header is set, the
> same is also logged in the access.log files.
> I found this while digging around:
> *"*Validate that the Referer matches up with scheme, host and port of the
> machine that received the request"
> Since the referer (http://mysupderduperwebapp.xyz/snazzypage.html) will
> not match the scheme, host and port of the riak node that received the
> request no image will be served.
> Is there any way to configure riak 1.2.0 to allow any referer header value?
> riak-users mailing list
> riak-users at lists.basho.com
Sean Cribbs <sean at basho.com>
Basho Technologies, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the riak-users