Comment on So I kind of set up another level of security well not really more of a gate to
pasjrwoctx@social.2ndshot.photos 2 weeks ago@webfan the only reason to exclude the /inbox route is if you are finding a lot of bots and scrapers accessing your inbox before they scrape your profile, in theory friendicas rules and activitypubs rules should already have your inbox blocked from that activity, I created this because even with a very robust .htaccess file I was getting a lot of bots and scrapers accessing "GET" and "Profile" in my access logs, most where defeating my robots.txt and breaking the rules in .htaccess, this at the moment has killed them, first 2 days they all got 403's and then they just stopped trolling my instance at all; I think it could be customized to your individual needs, I made it shareable, I wont maintain it, it works for me and if by chance it helps anyone well all the better, by all means adapt and modify it to your instance's needs and if it works share it with the community, security and privacy in numbers I say;
webfan@inne.city 2 weeks ago
@pasjrwoctx Sorry, I mean the /inbox route from the check
$is_fediverse =
str_contains($request, '/.well-known/') ||
str_contains($request, '/activitypub/') ||
str_contains($request, '/api/') ||
str_contains($request, '/assets/') ||
str_contains($request, '/inbox');
You could also check for Request-Type headers.
A cookie can be faked, you should consider to store the OK in the session instead?
pasjrwoctx@social.2ndshot.photos 2 weeks ago
webfan@inne.city 2 weeks ago
if ($request === '/' makes it clear, sorry!
$is_fediverse and is_static is not necessary then?
pasjrwoctx@social.2ndshot.photos 2 weeks ago