Directive Reference

testcookie_redirect_via_refresh

The testcookie_redirect_via_refresh directive controls whether a webpage should utilize an HTML meta refresh redirect for cookie challenge responses.

NGINX testcookie robot mitigation module · httpserverlocation
Syntaxtestcookie_redirect_via_refresh on | off;
Defaultoff
Contexthttp, server, location
Arguments1

Description

The testcookie_redirect_via_refresh directive provides the ability to mitigate automated requests by utilizing a cookie-based challenge mechanism. By enabling this directive, the server can issue a challenge that requires a client, such as a web browser, to establish a session through a cookie. If this directive is set, when a request fails the cookie check, instead of performing a direct HTTP redirect, the server will respond with an HTML page that includes a meta refresh tag. This instructs the browser to refresh at a specified interval, prompting it to attempt to reconnect and receive a valid cookie.

The functionality of this directive is particularly useful in scenarios where automatic agents or bots are trying to navigate content that should be restricted to legitimate users. By doing so through a meta refresh, the chance of passing the challenge without properly handling cookies is reduced, thus adding an additional layer of difficulty for bots attempting to crawl the site. It should be noted that both the client-side browser and server-side configurations must be adequately set to ensure compliance with this challenge mechanism.

Parameters for testcookie_redirect_via_refresh include a single argument that determines the behavior of the redirect, which can typically be a simple value indicating to activate or deactivate the refresh behavior. Proper configuration will enhance the effectiveness of the entire robot mitigation strategy implemented through the testcookie directives.

Config Example

location / {
    testcookie on;
    testcookie_redirect_via_refresh on;
    testcookie_name "TCK";
    testcookie_domain "example.com";
    testcookie_expire "31 Dec 2037 23:55:55 GMT";
    testcookie_max_attempts 3;
    testcookie_fallback "/fallback";
}

Ensure that the meta refresh interval doesn't cause unnecessary load on the server due to frequent refresh requests.

The refresh mechanism may lead to increased latency for legitimate users if not configured properly, potentially resulting in a suboptimal user experience.

If the fallback URL is not set correctly, users will see a 403 error after exceeding the maximum number of attempts.

Related Directives

testcookietestcookie_max_attemptstestcookie_fallbacktestcookie_arg
← Back to all directives