When I was posting my notes about WebP I found out at the time of posting that I could not post on my blog any more. The reason was to be found in my own ModSecurity rules as quite a long time ago I added to the antispam rules one that stops POST requests if they included image/webp in the Accept header.
Unfortunately, for whatever reason, instead of just adding image/webp to all the image requests, they added it to every single request that Chrome makes, including the POST requests when submitting a form… It does not entirely sound correct, to be honest, but there probably was a reason for that.
So I dropped the WebP check from my rules. And today I check my comments, and I found four spam elements. Turns out that the particular check was very effective, and it’s going to be a pain to leave it be. On the other hand, it seems like it’s accepting image/x-bitmap and coming from Firefox, two conditions that I expect are never met by real-life browsers, so I can probably look into adding a rule for that.
Another interesting rule I added recently and that I did not discuss yet is related to the fact that this blog is now only available over HTTPS. Most of the spam comments I receive are posted directly over HTTPS, but they report as referrer the original post’s URL over plain HTTP. Filter these out, and most of my spam is gone.
Long live ModSecurity — the problem is going to be when HTTP2 will be out, as it’s binary and leaves much less space to request fingerprinting.
