I have been a SitePoint member for a couple of years (and the proud owner of nearly two dozen books from you guys!) and I’m finally going to make my first post on your forums.
I have been struggling to find the answer to my issues surrounding .htaccess and how I think the file is supposed to work. Essentially, I have a development environment (which is mirrored from my live environment) which has access restricted via .htaccess (I deny all and then allow from a few choice IP addresses). There is a new feature that I am trying to build into the website that will run a page through the W3C validator when a button (placed in the footer) is clicked. The button works fine when .htaccess isn’t in the picture, but when .htaccess is in the picture then the validator hits a (expected) 403 error. I have attempted to allow access from the W3C validator via “HTTP_REFERER” but I am getting some incredibly wonky results (such as a completely restricted website, even from those in the “Allow” list).
Does anyone have a up-to-date method in which I can set this .htaccess file up to work as I desire? I have spent hours searching Google, forum threads, blog posts – you name it – all to no avail. Either I completely missed the answer due to mental exhaustion or I am not understanding what I should be doing.
Please advise. Many thanks in advance to those who contribute. If you need further information please do not hesitate to ask.
The {HTTP_REFERER} variable is renown for being spoofed by even the dimmest script kiddies so it’s just not a good variable to use for just about anything. If you’re using IP Addresses, try allowing the IP address you get for the W3C validator and expect to have to open a block of IP addresses.
Thank you for your reply. In my research for the fix I had found that a number of people made mention that {HTTP_REFERER} is a poor way to do this. Thank you for confirming that again - I will definitely avoid using that variable.
As for your other suggestion of adding IP addresses…that is the original method I had attempted. Unfortunately after the six consecutive and completely unique IP address coming from the W3C validator I had given up on hope of any form of consistency with which IP address the validator would be coming from. Can you think of any other method to make this work?
Actually, I was surprised at your intention to allow ANY outside access to your development machine. I don’t allow that so I will make validation checks locally then upload (to a temp directory on a production server, if necessary) to have W3C make their scan. IMHO, you should treat your development machine like a highly valued asset and protect it at all costs!
If you still want to allow access to your development machine, then I would think that the configuration of your firewall would be the first place to look to “make a hole” for external access and you may have to rely on {HTTP_REFERER} after all.
