如何仅允许从同源向 Apache 中的 php 文件进行 POST?

如何仅允许从同源向 Apache 中的 php 文件进行 POST?

我有一个带有 HTML 表单的网站,提交后会成功向服务器上的 .php 文件发送 POST 请求(Apache 2.4.48)。

但是,当我让 Javascript 通过 JS fetch() 处理提交时,服务器响应 405 错误。

因此我分析了两个 POST 的请求和响应标头,它们几乎相同,所以我很困惑为什么第一种方法有效而另一种方法被拒绝。

以下是通过 HTML 表单发送时的请求/响应(感叹号是 POST 请求的不同之处):

GENERAL
Request URL: https://example.com/php/script.php
Request Method: POST
Status Code: 302 
Remote Address: 160.153.133.187:443
Referrer Policy: origin-when-cross-origin


RESPONSE HEADERS
cache-control: max-age=0                    !
content-length: 0
content-type: text/html; charset=UTF-8
date: Sat, 14 Aug 2021 23:21:34 GMT
expires: Sat, 14 Aug 2021 23:21:34 GMT
location: https://example.com/pages/form-submitted.html#submitted
server: Apache
vary: User-Agent
x-powered-by: PHP/8.0.8


REQUEST HEADERS
:authority: example.com
:method: POST
:path: /php/script.php
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9     !
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,es-ES;q=0.8,es;q=0.7,it-IT;q=0.6,it;q=0.5
cache-control: no-cache
content-length: 96
content-type: application/x-www-form-urlencoded     !
dnt: 1
origin: https://example.com
pragma: no-cache
referer: https://example.com/contact
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
sec-fetch-dest: document        !
sec-fetch-mode: navigate        !
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36


FORM DATA
name: Tai Zen
email: [email protected]
phone-number: 12345678910
privacy-consent: on
submit: 

下面是使用 fetch() 发送 POST 时的请求/响应:

GENERAL
Request URL: https://example.com/php/script.php
Request Method: POST
Status Code: 302 
Remote Address: 160.153.133.187:443
Referrer Policy: same-origin


RESPONSE HEADERS
cache-control: max-age=2741
content-length: 0
content-type: text/html; charset=UTF-8
date: Sat, 14 Aug 2021 23:31:44 GMT
expires: Sun, 15 Aug 2021 00:17:26 GMT
location: https://example.com/405
server: Apache
vary: User-Agent
x-powered-by: PHP/8.0.8


REQUEST HEADERS
:authority: example.com
:method: POST
:path: /php/script.php
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,es-ES;q=0.8,es;q=0.7,it-IT;q=0.6,it;q=0.5
cache-control: no-cache
content-length: 471
content-type: multipart/form-data; boundary=----WebKitFormBoundary28YayN0mmqwdpQh0
dnt: 1
origin: https://example.com
pragma: no-cache
referer: https://example.com/contact
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
sec-fetch-dest: empty
sec-fetch-mode: same-origin
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36

FORM DATA
name: Tai Zen
email: [email protected]
phone-number: 12345678910
privacy-consent: on
submit:

我是否应该对服务器端进行一些更改以允许对该特定文件发出 POST 请求?

但是,我希望它只接收我编写的 JS 的 POST 请求,而不是外部实体,但我不知道具体该怎么做。我尝试了这个答案,但它不起作用,服务器给出了 500 错误。我想这可能是因为我使用的是共享主机方案,并且无法完全访问我的 Apache 设置,但我不确定这是原因。

相关内容