This project is not covered by Drupal’s security advisory policy.
This simple module adds support to your site to block HTTP POST requests that are not associated with form submissions. This is useful for reducing the potential for attackers to bypass your caching infrastructure by making HTTP POST Requests for pages of your site.
How it works
This module works by adding a predefined hidden field to all forms on your site (using hook_form_alter). We then have a small routine that runs in the settings.php file that checks for the existence of the hidden field in the POST request. The request is allowed if the hidden form field exists, the request is immediately blocked if the hidden field does not exist in the request.
Installation and Configuration
- Download and enable the module as normal.
- Add the following code to your settings.php file:
if (file_exists('./sites/all/modules/post_protector/settings.inc')) { include('./sites/all/modules/post_protector/settings.inc'); $conf['post_protector_enabled'] = TRUE; post_protector_check(); }
Supporting organizations:
Initial development
Project information
Seeking co-maintainer(s)
Maintainers are looking for help reviewing issues.- Maintenance fixes only
Considered feature-complete by its maintainers. - Project categories: Performance
- Created by shawn_smiley on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
