@webfan cookie could be faked but so can headers, and the way I have it now the cookie is only good for the session, bots and scrapers start a new session every time they probe a domain so no need to store, each time they troll its a new session, putting inbox in the check I guess could be useful to gate it, but when I sat down to do this and dug through all my access logs I did not have even one call for the inbox to be worried about it, now if I get bots or scrapers that start calling for my inbox I will gate it, but my understanding of how friendica and activitypub are setup the inbox should not be callable by bots and scrapers, I maybe wrong on that, I have had this instance up an running a year, and it has be en a lot of learning and trial and error so many errors, but so far this gate has really made my access logs go empty, which for me is good, im still fully federated but the datahogs have slowed or stopped trolling me
Comment on So I kind of set up another level of security well not really more of a gate to
webfan@inne.city 2 weeks ago@pasjrwoctx Sorry, I mean the /inbox route from the check
$is_fediverse =
str_contains($request, '/.well-known/') ||
str_contains($request, '/activitypub/') ||
str_contains($request, '/api/') ||
str_contains($request, '/assets/') ||
str_contains($request, '/inbox');
You could also check for Request-Type headers.
A cookie can be faked, you should consider to store the OK in the session instead?
pasjrwoctx@social.2ndshot.photos 2 weeks ago
pasjrwoctx@social.2ndshot.photos 2 weeks ago
webfan@inne.city 2 weeks ago
if ($request === '/' makes it clear, sorry!
$is_fediverse and is_static is not necessary then?