In htaccess, how can i block every visitor except those who come from a specific domain
i tried this but without any success :
# serve everyone from specific-domain or specific-user-agent
RewriteCond %{HTTP_REFERER} ^https?://www.specific-domain.com
RewriteRule ^ - [L]
# everybody else receives a forbidden
RewriteRule ^ - [F]
ErrorDocument 403 /forbidden.html
Update : i had certain success with below code BUT it broked my webpage certainly because of the following parameters that overrride or disturbe appearance. if someone has a clue how to order it the good way ?
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https://authorizedreferer.com
RewriteRule ^ - [L]
RewriteRule ^ https://unprotected.mydomain.com/ [R,L]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# serve everyone from specific-domain or specific-user-agent RewriteCond %{HTTP_REFERER} ^https?://www.specific-domain.com RewriteRule ^ - [L] # everybody else receives a forbidden RewriteRule ^ - [F]
This will indeed allow requests that link from specific-domain.com (ie. this domain is the HTTP Referer) and block everything else. However, it will also block all requests for your static resources, that originate from your site, where your domain is the Referer. So, you need to also allow requests from your domain.
You should also probably allow an empty Referer header. ie. direct requests, when a user types the URL into their browser address bar. Also note that the Referer header can be suppressed in other ways depending on the referrer-policy as set by the originating website. The user themselves can also override the Referer header, so relying on the Referer header is not reliable.
Try the following:
# Serve everyone from specific-domain (and internal requests)
RewriteCond %{HTTP_REFERER} ^https?://www\.your-domain\.com/ [OR]
RewriteCond %{HTTP_REFERER} ^https?://www\.specific-domain\.com/
RewriteRule ^ - [L]
# everybody else receives a forbidden
RewriteRule ^ - [F]
And to allow an empty Referer, include an additional condition:
# Serve everyone from specific-domain (and internal requests and empty referer)
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} ^https?://www\.your-domain\.com/ [OR]
RewriteCond %{HTTP_REFERER} ^https?://www\.specific-domain\.com/
RewriteRule ^ - [L]
Note that you are currently allowing http or https in the Referer. If this is always https then be specific and remove the ? (optional quantifier). ie. ^https://www\.specific-domain\.com/. And remember to backslash escape the literal dots.