How to ignore alihack requests using your nginx config

If you are getting the following error in your Rails app:

   unexpected token at 'alihack

…it can be blocked in your nginx config.

The following snippet can be placed inside the server block and returns a  ‘400 Bad Request’ with a text message in the body.

A big assumption here is that your app is not using json – it blocks all JSON PUT requests. This could be refined to check for third header that your own app sets, if that is a problem.

You could change this to a redirect or a json response if you want (commented out below).

# ali.txt attempt on any URL
if ($content_type = "application/json") { 
  set $ali_txt JSON; 

if ($request_method = PUT) {
  set $ali_txt "${ali_txt}_PUT"; 

if ($ali_txt = JSON_PUT) {
 return 400 "Bad request - ignoring"; 
 # return 444;
 # return 301 http://www.example.com/some-page

This should not be placed inside a location block.

5 thoughts on “How to ignore alihack requests using your nginx config

  1. Doesn't this come with a fairly huge caveat? Looks like it would break all PUT JSON requests, good or bad. If so, it could mess up your APIs, especially since your Rails-level tests would pass but nginx would deny those requests.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s