In htaccess, how can i block every visitor except those who come from a specific domain
i tried this but without any success :
# serve everyone from specific-domain or specific-user-agent
RewriteCond %{HTTP_REFERER} ^https?://www.specific-domain.com
RewriteRule ^ - [L]
# everybody else receives a forbidden
RewriteRule ^ - [F]
ErrorDocument 403 /forbidden.html
Update : i had certain success with below code BUT it broked my webpage certainly because of the following parameters that overrride or disturbe appearance. if someone has a clue how to order it the good way ?
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https://authorizedreferer.com
RewriteRule ^ - [L]
RewriteRule ^ https://unprotected.mydomain.com/ [R,L]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
This will indeed allow requests that link from
specific-domain.com(ie. this domain is the HTTPReferer) and block everything else. However, it will also block all requests for your static resources, that originate from your site, where your domain is theReferer. So, you need to also allow requests from your domain.You should also probably allow an empty
Refererheader. ie. direct requests, when a user types the URL into their browser address bar. Also note that theRefererheader can be suppressed in other ways depending on the referrer-policy as set by the originating website. The user themselves can also override theRefererheader, so relying on theRefererheader is not reliable.Try the following:
And to allow an empty
Referer, include an additional condition:Note that you are currently allowing
httporhttpsin theReferer. If this is alwayshttpsthen be specific and remove the?(optional quantifier). ie.^https://www\.specific-domain\.com/. And remember to backslash escape the literal dots.