Blocking HTML5 Ping Requests using ColdFusion

Major browsers are disabling the ability to disable HTML5 ping click tracking.

As a result, you’ll probably start encountering empty form posts with a content-type of "text/ping". If you are not expecting or do not need to receive ping requests to your web server, you can block them without wasting
any resources processing the request further. This is important because this feature has already been used to perform DDoS attacks:

Here's a basic ColdFusion script that will identify and block HTML5 Ping requests.

	<!--- 20190627
	Block/Track Ping HTTP Requests using ColdFusion
	GIST: https://gist.github.com/JamoCA/916dbb2d0ca0fe30ca63120bcaccc20f
	BLOG: https://dev.to/gamesover/blocking-html5-ping-requests-using-coldfusion-4ei8
	If you are not expecting or do not need to receive ping requests to your web server, block any
	web requests that contain "Ping-To" and/or "Ping-From" HTTP headers on the edge devices (Firewall,
	WAF, etc.). If you can't do that, you can still detect it in ColdFusion and abort prior to wasting
	any resources processing the request further.
	More info:
	https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/
	https://www.imperva.com/blog/the-ping-is-the-thing-popular-html5-feature-used-to-trick-chinese-mobile-users-into-joining-latest-ddos-attack/
	https://hub.packtpub.com/chrome-safari-opera-and-edge-to-make-hyperlink-auditing-compulsorily-enabled/
	NOTE: It appears Brave, Dissenter & Firefox offer the ability to disable "ping" tracking. Chrome has removed the ability to disable it.
	--->
	<cfset Headers = GetHttpRequestData(false).headers>
	<cfif StructKeyExists(Headers, "Content-Type") and Headers["Content-Type"] is "text/ping">
	<!--- Optional: log headers["ping-to"] and headers["ping-from"] --->
	<cfheader statuscode="204" statustext="No Content">
	<cfabort>
	</cfif>

view raw Block-HTML5-Ping-Click-Tracking.cfm hosted with ❤ by GitHub