> the match strings are wrong, should be !^http://....$ Thanks Walter, I tried your suggestion but get the same result. I inherited this site from another company and I've already let my users know that it's an insecure way of doing it and demonstrated with a simple Chrome extension how easy it is to bypass. Is there another way to do this? Brad -----Original Message----- From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] Sent: Wednesday, June 04, 2014 7:12 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: [users] Only allow access from specific domains? On 03.06.2014 21:05, Brad Harris wrote: > I've been trying to configure a website to send a 403 forbidden error unless the user comes from a specific website/domain, which is a logon page hosted on another server. Design error, because, the Referer is fakeable and makes the logon page not neccessary ... > RewriteEngine On > # this is the domain hosting the login page > RewriteCond %{HTTP_REFERER} !logon_domain.com [NC] > # this is the domain hosting the WordPress site > RewriteCond %{HTTP_REFERER} !wordpress_site.com [NC] > RewriteRule .* - [F] > ErrorDocument 403 http://logon_domain.com/Login.aspx > > The last line of my rewrite error log: > forcing responsecode 403 for /var/www/html/... > the match strings are wrong, should be !^http://....$ Walter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx