Improvements #13880
openImprovements #13877: Be less permissive to bots
Make configuration for serving (image) resources to bots
0%
Description
When a bot requests a page that has an image on it, depending on how the image is created, they possibly see an image with a src=...?(wtd=..&)request=resource&resource=...&ver=...
.
In case this is resource hosted by the WServer
, (and thus a public resource), bots can correctly retrieve this. These will not have the above parameters.
In the case of a resource hosted by the WApplication
, however (meaning a private resource), bots will NOT be able to retrieve them. After all, the session that created them has been terminated already.
Depending on the path, this can result in an invalid request, or in a lot of the cases, a request to the path preceding the HTTP query. In this case, this will result in the page being requested, and served as HTML, which creates a session for the bot again, and immediately terminates it.
However, this page is NOT was the application intended.
We should ensure that these types of requests are never processed, nor ever served to the client if it is a bot. This means:
- blocking such request from generating a new session, and responding with a new page. This will return an error with a code in the 400 range.
- not generating these paths for bots. This should be configurable (wt_config.xml).
- Either the configuration allows them to be created, and a 4xx error is returned.
- Or the configuration specifies that a static image ought to be served instead. This will require the image to be served after the server has it rendered out (this can be in SVG/Raster).
Updated by Romain Mardulyn 4 days ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn