403 forbidden from Riak 1.2.0 when referer header is set

Sean Cribbs sean at basho.com
Wed Aug 15 09:56:02 EDT 2012


Fredrik,

This is intentional -- in 1.2 we added some measures to counteract
cross-site scripting and request-forgery attacks. For your application, it
would be best to have a reverse-proxy remove the Referer header (as long as
the request is a GET to allowed resources, like your images).

On Wed, Aug 15, 2012 at 8:24 AM, Fredrik Lindström <
Fredrik.Lindstrom at qbranch.se> wrote:

>  Hi everyone,
>   One of the things we use Riak for is to serve images straight to the
> browser (obviously via a firewall etc etc). These images are displayed on
> our webpages so when the browser loads the page it will fire off GET
> requests for the image URLs and for good measure it will include a referer
> header when doing this. This works fine in production since we're still on
> Riak 1.0.2 but our dev and stage clusters have been upgraded to 1.2.0 and
> the story is a bit different there.
> Riak will respond with 403 Forbidden if the referer header is set, the
> same is also logged in the access.log files.
>
>  I found this while digging around:
>
> https://github.com/basho/riak_kv/commit/3cd75e76c20b77dec2be0cb36892f5cc79dbec0b
> *"*Validate that the Referer matches up with scheme, host and port of the
> machine that received the request"
>
>  Since the referer (http://mysupderduperwebapp.xyz/snazzypage.html) will
> not match the scheme, host and port of the riak node that received the
> request no image will be served.
> Is there any way to configure riak 1.2.0 to allow any referer header value?
>
>  /F
>
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>
>


-- 
Sean Cribbs <sean at basho.com>
Software Engineer
Basho Technologies, Inc.
http://basho.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20120815/f6ca05bc/attachment.html>


More information about the riak-users mailing list