4

In some of our systems we have a blocklist of IP address which stops certain IP's viewing the website. Currently the PHP just issues text saying your ip address has been blocked blah blah blah.

HOWEVER

I have come across the HTTP Error Code 403 and to be more exact error code 403.6 (http://en.wikipedia.org/wiki/HTTP_403) which I think would be better than just text.

But i read somewhere that the .6 is only for windows or something along those lines??

Can I send a 403.6 header through PHP from my LAMP servers and would this be better practice than just sending "you've been blocked text"?

Improve this question
5
  • Why not just tell the requester "YOU'VE BEEN BLOCKED DUE TO IP"? Most don't have a clue about what a 403 means, much less a 403.6. I guess I'll be interested to see what others have to say. :) Commented Apr 17, 2011 at 23:08
  • It does display simple text ATM and not a 403.6, however it is manly harvesting/spam servers that get blocked not humans so surly a proper error would be better? Commented Apr 17, 2011 at 23:12
  • 2
    So then why not just report 403? Commented Apr 17, 2011 at 23:15
  • Surly a more exact error is better Commented Apr 17, 2011 at 23:31
  • Maybe, for analytics you could tell what was happening. If your main concern is cold-shouldering the dregs of the intertubes, and you're worried about the random false-positive, then I guess you could be in a quandary. Commented Apr 17, 2011 at 23:35

5 Answers 5

Reset to default
9

Send a simple 403 as it's the correct code for forbidden and then send a custom textual message so your users understand what's going on.

Sample php code bellow.

<?php
header("HTTP/1.0 403 Forbidden");
?>

<h1>Access Forbidden!</h1>

You have been banned from seeing our site because xx and you will
xx etc ...
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

If certain IP addresses have been blocked because they are blacklisted, then it is allright to return a simple 404 "Not Found" HTTP status, especially for addresses that have been marked as 'malicious'.

Don't give them any information they can use. Just say 'nothing to see here' instead of 'here is something you are not allowed to see'.

In any case, always try to provide information on a need-to-know basis.

Improve this answer

1 Comment

Another option for malicious requests is to send 500 "server busy" after delaying for several seconds or 200 with junk responses.
1

According to the way HTTP was defined, in true standard way your server should respond with a custom 4xx HTTP status code. Many unused status codes in the 4xx range are available for your use.

And a list of already in use status codes can be found here.

Edit:

You should use both status code and message, but one unrelated to the ones already defined. As an example you could use:

455 Your access has been blocked for excessive crawling
Improve this answer

3 Comments

Ok so you think I should use a error code instead of text but I dont understand weather i should use 403 or 403.6?
are you suggesting to pick a random 4xx status code and define that as "sorry, I don't like your IP"? How would the client know what your custom status code means?
@BlueEel status code ranges predefine an expected behavior, 4xx <- client error. HTTP was built with user extensions in mind.
0

You could have a .htaccess file setup on your Apache server to block the IP addresses which can include all your blocked IP ranges in a rule. The error message for the 403 message (which is displayed for blocked connections) can also be customized with the .htaccess file.

Improve this answer

2 Comments

In that case you can use a HTTP header of 403 and display your customized error message on the page (using PHP).
ok cheers this is what other people have said, however surly a more exact error code would be better if it is posible
0

I don't think there is any point in returning a 403.6 over a plain 403 if you are going to slam the door in the user's face like that.

The other option, sending a 200 instead with an appropriate message is preferable if, in the interest of user-friendliness, you want to notify the user of what has happened (possibly provide some contact information for those who believe they are being blocked erroneously etc).

Choosing between the "slam the door" approach (which is technically more correct) and the "friendly" approach (which is better for your human users) is your call.

Improve this answer

7 Comments

It doesn't have to be one or the other. You can return an "error page" just fine while issuing a 403.
Wow, thank you Jon. As we only block servers and not humans I feel the error code will be more suiting. BUT can a 403.6 be sent or is this only available from a windows server and is the 403.6 accepted across all major browsers?
@deceze: I thought of that too and made a small experiment before answering. FF 4 and Chrome 11 displayed my "sorry" page fine (about 15 bytes of content or so), IE 9 did not (displayed the friendly error page instead). So I opted to not bring that up.
AFAIK very short error pages may be replaced by "browser friendly pages", since they're assumed to only contain the status code text. If you make a full fledged error page, it should show up just fine.
Yes, many browsers like IE do that, so generally what people do is just pad their error page content with some HTML comments etc. Like <!-- ------------PADDING------------ --> ... I think a couple of KB is enough. Google will probably tell you. (ps, i know i'm late to the party, this is for posterity though)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.