Server blocks POST but not GET requests?

Question

Inside my app, I use $http post requests because on server side all PHP services accept only post request. PHP web services are located in godaddy.

After some consecutive $http post requests(usually after 10-20 request), I start to get ERR_EMPTY_RESPONSE from server. I did some research and found that this is because a security issue from server to prevent attacks. Apache server's mod_sec setting causes this problem but I don't have permissions to override it.

I decided to test, if this issue is specifically caused by POST requests. so I wrote a simple PHP file and AngularJS test script. If I use GET request I don't get any ERR_EMPTY_RESPONSE errors. Are there any $http POST settings on client side AngularJS or any Apache server setting which I can place in .htaccess file, so server doesn't block POST requests?

PHP script:

<?php 
       echo json_encode(array("item"=>"dummy test service."));
 ?>

AngularJS script:

var success_count = 0;
var method = 'GET'; //try 'POST' and you will get ERR_EMPTY_RESPONSE
stop = $interval(function() {
    $http({
        method : method,
        url : 'test.php'
    }).then(function successCallback(response) {
        console.log(success_count);
        success_count++;
    }, function errorCallback(response) {
        console.log("error after "+success_count+" successful request.");
        success_count = 0;
    });
}, 200);

If a security apache module is active, then you can't do anything about it. You can only ask the host provider to set the limit higher. — Charlotte Dunois, May 12 '16 at 10:18
yes I tried mod_sec .htaccess settings. but it doesn't work in my case because of permissions. — zenprogrammer, May 12 '16 at 10:31

score 0 · Answer 1 · edited May 23 '17 at 11:52

This is because of cross-domain request policy. If you want to restrict scripts from other pages that are not on the same domain this will help in doing that. But what happens in the case of API's, how are they giving permission to accept request from some other pages?. So to do this they use Access-control-OPTIONS and in your particular case Access-Control-Allow-Methods must have been set to just GET method. So its basically accepting only GET request.

However if you want to specifically use POST request use CURL(with PHP or some other server side language) which can by pass same-origin policy ,and can send & receive data through POST request.You can have additional information about CURL here

Server blocks POST but not GET requests?

1 Answers1