404/500 error on content images if Referer header is from another domain

Not very familiar with WordPress so I'm not sure what's causing this.

Essentially, we have a few image assets stored under wp-content. When we access some assets (i.e. cmssubdomain.apex.com/wp-content/image.png) we are getting some peculiar behavior around the Referer request header:

  1. It works if accessed without the Referer header
  2. It works if accessed with the Referer header as long as the value matches the cms subdomain
  3. It fails once the Referer header is set to a value different than the subdomain

This is a problem for us as our CMS is hosted under a subdomain (i.e. subdomain1.apex.com), whereas our main site also acts as a proxy to serve CMS content as a path under the main site (i.e. www.apex.com/subdomain1/cmspaths).

Now, the browser sets the referer header, and we are getting 404/500 on images if they are viewed through the main site (proxied content from CMS).

Is handling of Referer header a default WordPress behavior, or is it due to some plugin (security? cors?) that was installed? Can anyone point to where valid domains can be whitelisted?

Topic http headers 404-error security content Wordpress

Category Web

1
answered at

It has nothing to do with WordPress. Your server is configured to refuse access from other domains. All you need to enable CORS Origin.

This will allow request from other domains. But it will decrease security. You might want to change the * (allow all) to your sub domain. Just put it in your .htaccess file.

<IfModule mod_headers.c>
  <FilesMatch "\.(jpg|png|gif)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.