.htaccess, can I block all requests starting with exactly "/index.php?action="

Question

Is there a .htacces way to block all request starting with exactly /index.php?action=?

I figured out:

RewriteCond %{QUERY_STRING} \baction=\b [NC]
RewriteRule ^ - [F]

But how do I put the part /index.php? in front of that pattern. I tried a lot, but it didn't work and only this part of the pattern also blocks &action= parameters somewhere else in a URL

Hope you can help. Many thanks in advance, Nico

Answer 1

You can use THE_REQUEST variable to match full URL and block it like this:

RewriteCond %{THE_REQUEST} /index\.php\?action= [NC]
RewriteRule ^ - [F]

Answer 2

RewriteCond %{QUERY_STRING} \baction=\b [NC]
RewriteRule ^ - [F]

But how do I put the part /index.php? in front of that pattern.

The RewriteRule pattern (ie. ^ in your example) matches the URL-path part of the URL (less the slash prefix). So, you can do it like this:

RewriteCond %{QUERY_STRING} ^action= [NC]
RewriteRule ^index\.php$ - [NC,F]

This matches any request that starts /index.php?action= (case-insensitive).

The regex you had initially (ie. ^) is successful for everything, so would match any URL that starts /<anything>?action=.

The difference between this approach and checking against THE_REQUEST (as in @anubhava's answer) is that this will also block requests that have been internally rewritten to /index.php?action=, whereas THE_REQUEST will only block direct requests from the client.