POST

[WSIINNDA]

Hi.
Assume there is a network with 100 users, all of whom share the same IP address to access the internet.
Now, one user runs a program that sends a large number of "POST" commands to a website address at once,
causing the website to become inaccessible! How can this problem be solved?
Since the IP addresses are the same, the IP address cannot be blocked.

[WSIINNDA]

9 minutes ago, WSIINNDA said:

Hi.
Assume there is a network with 100 users, all of whom share the same IP address to access the internet.
Now, one user runs a program that sends a large number of "POST" commands to a website address at once,
causing the website to become inaccessible! How can this problem be solved?
Since the IP addresses are the same, the IP address cannot be blocked.

[irigsoft]

1 hour ago, WSIINNDA said:

Hi.
Assume there is a network with 100 users, all of whom share the same IP address to access the internet.
Now, one user runs a program that sends a large number of "POST" commands to a website address at once,
causing the website to become inaccessible! How can this problem be solved?
Since the IP addresses are the same, the IP address cannot be blocked.

You can try to disable POST commands on UniGUIServerModuleHTTPCommand

1.

  If (AnsiUpperCase (ARequestInfo.TransferEncoding) = AnsiUpperCase ('chunked'))
  OR (PosEx (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.CustomHeaders.Text)) > 0)
  OR (PosEx (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.RawHeaders.Text)) > 0)
  then begin
            AResponseInfo.ContentText := 'Disabled POST command';
            Handled := True;
            AResponseInfo.CloseConnection:=true;
            AResponseInfo.CloseSession;
            SaveHTMLLog ('CLOSED SESSION (DISABLED Post.Chunked Encoding: ' 
                      + ', COMMAND: ' + ARequestInfo.Command
                      + ', RAW COMMAND: ' + ARequestInfo.RawHTTPCommand
                      );
          end;
  end;

 

2. or disable POST custom headers

DisabledPOSTHeaders - your list with disabled post headers

    for I := DisabledPOSTHeaders.Count - 1 downto 0 do begin
        if (I <= DisabledPOSTHeaders.Count-1)
        AND (ARequestInfo <> nil)
        AND (ARequestInfo.CustomHeaders <> nil)
        then begin
          If ARequestInfo.CustomHeaders <> nil then begin
            if (PosEx (TRIM (DisabledPOSTHeaders [I]) + ':',ARequestInfo.CustomHeaders.Text) > 0)
            AND (TRIM (DisabledPOSTHeaders [I]) <> '')
            then begin
              TRY
                  AResponseInfo.ContentText := 'Disabled POST headers';
                  Handled := True;
                  AResponseInfo.CloseConnection:=true;
                  AResponseInfo.CloseSession;
                  SaveHTMLLog ('CLOSSED SESSION (DISABLED POST Custom Headers):' + DisabledPOSTHeaders [I]
                              + #13#10 + 'Headers:' + ARequestInfo.CustomHeaders.Text
                              + ', COMMAND: ' + ARequestInfo.Command
                              + ', RAW COMMAND: ' + ARequestInfo.RawHTTPCommand
                      );
              EXCEPT

              END;
                break;
            end;//If
          end;//If ARequestInfo.CustomHeaders.
        end;//If I < DisabledPOSTHeaders.Count

[WSIINNDA]

16 minutes ago, irigsoft said:

You can try to disable POST comands on UniGUIServerModuleHTTPCommand

1.

  If (AnsiUpperCase (ARequestInfo.TransferEncoding) = AnsiUpperCase ('chunked'))
  OR (PosEx (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.CustomHeaders.Text)) > 0)
  OR (PosEx (AnsiUpperCase ('chunked'),AnsiUpperCase (ARequestInfo.RawHeaders.Text)) > 0)
  then begin
            AResponseInfo.ContentText := 'Disabled POST command';
            Handled := True;
            AResponseInfo.CloseConnection:=true;
            AResponseInfo.CloseSession;
            SaveHTMLLog ('CLOSED SESSION (DISABLED Post.Chunked Encoding: ' 
                      + ', COMMAND: ' + ARequestInfo.Command
                      + ', RAW COMMAND: ' + ARequestInfo.RawHTTPCommand
                      );
          end;
  end;

 

2. or disable POST custom headers

DisabledPOSTHeaders - your list with disabled post headers

    for I := DisabledPOSTHeaders.Count - 1 downto 0 do begin
        if (I <= DisabledPOSTHeaders.Count-1)
        AND (ARequestInfo <> nil)
        AND (ARequestInfo.CustomHeaders <> nil)
        then begin
          If ARequestInfo.CustomHeaders <> nil then begin
            if (PosEx (TRIM (DisabledPOSTHeaders [I]) + ':',ARequestInfo.CustomHeaders.Text) > 0)
            AND (TRIM (DisabledPOSTHeaders [I]) <> '')
            then begin
              TRY
                  AResponseInfo.ContentText := 'Disable POST headers';
                  Handled := True;
                  AResponseInfo.CloseConnection:=true;
                  AResponseInfo.CloseSession;
                  SaveHTMLLog ('CLOSSED SESSION (DISABLED POST Custom Headers):' + DisabledPOSTHeaders [I]
                              + #13#10 + 'Headers:' + ARequestInfo.CustomHeaders.Text
                              + ', COMMAND: ' + ARequestInfo.Command
                              + ', RAW COMMAND: ' + ARequestInfo.RawHTTPCommand
                      );
              EXCEPT

              END;
                break;
            end;//If
          end;//If ARequestInfo.CustomHeaders.
        end;//If I < DisabledPOSTHeaders.Count

This can't be done; I've tested it before. If I disable "POST," the website won't work.
The code you wrote, I tested the first part; still, the site completely crashes, and I couldn't test the second part.

[irigsoft]

7 minutes ago, WSIINNDA said:

This can't be done; I've tested it before. If I disable "POST," the website won't work.
The code you wrote, I tested the first part; still, the site completely crashes, and I couldn't test the second part.

can you share some post commands ?

I see you can freeze your app

[WSIINNDA]

1 minute ago, irigsoft said:

can you share some post commands ?

I see you can freeze your app

The "POST" command itself can be sent in various ways with different headers and so on, meaning there is never a fixed pattern that allows me to say: if a large number of identical commands are received, block them.
I don't know, it seems like a major issue to me, as it can easily disable a web application.

I think it would be better for you to share a website address and see the results.

[WSIINNDA]

7 minutes ago, irigsoft said:

can you share some post commands ?

I see you can freeze your app

[irigsoft]

7 minutes ago, WSIINNDA said:

The "POST" command itself can be sent in various ways with different headers and so on, meaning there is never a fixed pattern that allows me to say: if a large number of identical commands are received, block them.
I don't know, it seems like a major issue to me, as it can easily disable a web application.

I think it would be better for you to share a website address and see the results.

did you try it ?

 

https://stackoverflow.com/questions/5009326/block-http-post-request

https://security.stackexchange.com/questions/268202/how-to-block-a-post-curl-request

 

my second part block list of POST headers, try only this option !

[WSIINNDA]

1 minute ago, irigsoft said:

did you try it ?

 

https://stackoverflow.com/questions/5009326/block-http-post-request

https://security.stackexchange.com/questions/268202/how-to-block-a-post-curl-request

 

my second part block POST headers, try only this option !

This can't be done; I've tested it before. If I disable "POST," the website won't work.

[WSIINNDA]

21 minutes ago, irigsoft said:

did you try it ?

 

https://stackoverflow.com/questions/5009326/block-http-post-request

https://security.stackexchange.com/questions/268202/how-to-block-a-post-curl-request

 

my second part block list of POST headers, try only this option !

I tested the codes you wrote, and none of them worked.
No matter how I write them, the website remains inactive.

[Farshad Mohajeri]

Yıu can use uniGUI built-in AntiFlood mechanism.

[Farshad Mohajeri]

For HyperServer:

[Farshad Mohajeri]

I enabled AntiFlood for Customer Portal:

You will get this when flood is occurred:

[irigsoft]

1 hour ago, WSIINNDA said:

This can't be done; I've tested it before. If I disable "POST," the website won't work.

maybe they want to work and receive POST commands without freezing or blocking

[WSIINNDA]

1 hour ago, Farshad Mohajeri said:

For HyperServer:

This way it became much better, I tested it and everything was correct.
Only if a user with a shared IP runs the "POST" command repeatedly, no new user will be able to use the website anymore.

[Farshad Mohajeri]

1 hour ago, WSIINNDA said:

This way it became much better, I tested it and everything was correct.
Only if a user with a shared IP runs the "POST" command repeatedly, no new user will be able to use the website anymore.

Yes, but only if new users are from same IP. The situation will be back to normal after antiflood duration is passed.

[WSIINNDA]

On 12/26/2025 at 8:17 PM, Farshad Mohajeri said:

Yes, but only if new users are from same IP. The situation will be back to normal after antiflood duration is passed.

@Farshad Mohajeri
 

When the network is configured as a Reverse Proxy or Load Balancer,
the following code unfortunately does not work:

ARequestInfo.RemoteIP;

This means that for all clients, this code displays the same shared IP address, regardless of which ISP the user is using.
All users will have the same IP address.

However, the real IP address of users can be obtained using one of the following two methods:

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
  var Handled: Boolean);
var
  ClientIP: string;
begin
 ClientIP := '';

 // 1
 ClientIP := ARequestInfo.RawHeaders.Values['X-Forwarded-For'];

 // 2
 if ClientIP = '' then
   begin
     ClientIP := ARequestInfo.RawHeaders.Values['X-Real-IP'];
 end;

 // ClientIP ......
end;

Is it possible in future updates that the above codes could also be included in ARequestInfo.RemoteIP;?
Otherwise, the IP address will not be displayed correctly if the user is using an intermediate server.

[Farshad Mohajeri]

Hello,

Can you please configure your email address as instructed here:

 

[WSIINNDA]

I found an excellent solution for when a large number of requests are received from one IP address, and I want to share it with others.

 

First, in the UniGUIServerModuleHTTPCommand section, you should show the current time to the user in encoded form as a parameter. After the user checks the "I'm not a robot" box, the page reloads with the new parameter. Then, you need to decode the parameter value and check if it is still valid—for this, I have only allowed 5 seconds. As you can see, if it takes more than 5 seconds for the user to click, the page refreshes. This is the best and fastest method I have found to solve this problem.

[WSIINNDA]

4 minutes ago, WSIINNDA said:

I found an excellent solution for when a large number of requests are received from one IP address, and I want to share it with others.

 

First, in the UniGUIServerModuleHTTPCommand section, you should show the current time to the user in encoded form as a parameter. After the user checks the "I'm not a robot" box, the page reloads with the new parameter. Then, you need to decode the parameter value and check if it is still valid—for this, I have only allowed 5 seconds. As you can see, if it takes more than 5 seconds for the user to click, the page refreshes. This is the best and fastest method I have found to solve this problem.

The advantage of this method is that the user is required to check the "I am not a robot" box at the very beginning. They will not have access to the site until they select this option. After selection, the parameter that allows the user to access the site is only valid for 5 seconds. That is, if the same parameter is entered again, the "I am not a robot" page will reappear. This way, DDoS attacks can easily be prevented.

[irigsoft]

8 hours ago, WSIINNDA said:

The advantage of this method is that the user is required to check the "I am not a robot" box at the very beginning. They will not have access to the site until they select this option. After selection, the parameter that allows the user to access the site is only valid for 5 seconds. That is, if the same parameter is entered again, the "I am not a robot" page will reappear. This way, DDoS attacks can easily be prevented.

fight with DDOS, you can try and this: 

 

 

 

[WSIINNDA]

On 12/26/2025 at 5:28 PM, Farshad Mohajeri said:

I enabled AntiFlood for Customer Portal:

You will get this when flood is occurred:

 

@Farshad Mohajeri

The issue in the Uni framework has not been fully resolved, and it is easy to disable the web application by sending too many requests!!!