I need to ensure that the user login form for Drupal can not be

Question

0

Asked: June 6, 20262026-06-06T03:09:35+00:00 2026-06-06T03:09:35+00:00

I need to ensure that the user login form for Drupal can not be

0

I need to ensure that the user login form for Drupal can not be signed into when the referrer is from a remote domain. It is a security vulnerability which impacts enterprise acceptance.

The path is: https://domain.com/user

There is currently a rule in place at the end of .htaccess to require https access

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

I looked at this to see how the rule might identify the url, but do not know how I would take that and implement it with the referrer and not impact the other rules for https

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-06T03:09:37+00:00

Editorial Team

2026-06-06T03:09:37+00:00Added an answer on June 6, 2026 at 3:09 am

# if referer not empty
RewriteCond %{HTTP_REFERER} !^$
# and referer doesn't contain domain.com
RewriteCond %{HTTP_REFERER} !domain\.com
# and it is a POST request
RewriteCond %{REQUEST_METHOD} POST [NC]
# than redirect to current url to remove the POST data and show the default login screen
RewriteRule ^(user)$ /$1 [R=302,L]

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I need to ensure that the user login form for Drupal can not be

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply