Conflict between "apikey" in the url and hosted Emoncms servers

I host Emoncms on a Krystal Hosting server and we had a 4 day outage because of their Imunify360 rules.

It turns out that they block urls with the word “apikey” in because:
The rule is detecting "apikey" from the URL, which is the name for a wordpress fakeplugin.

This “rule” took the whole site offline for IP addresses sending apikey in the url so I couldn’t even get in to manage the site…

They have (temporarily?) switched off the rule for my site but it will probably bite someone else.

Would it be possible to add an alternative word like “key” (leaving apikey so as not to break existing installations)

The rule includes other strings but they don’t look like they would cause a problem for Emoncms

ModSecurity: Access denied with code 403, [Rule: 'REQUEST_URI' '@rx (wordpresscore|wp-zexit|wp-clearlineee|wp-resortpack|apikey|ioptimization|bqxtbuu|blnmrpb|wp-breeze|loftloader\.2\.4\.0|cve-2023-45124|root-file-manager|ph-file-manager|zer0day|file-manager-zeroday|phoenix_)'] [id "77350295"] [msg "IM360 WAF: Interaction with fake plugin||WPU:||T:LITESPEED||"] [severity "CRITICAL"] [tag "service_i360custom"] [tag "service_wp_plugin"]

Thanks for a great package

How are you sending data to your instance?

It’s recommended to put the apikey into the POST data or HTTP header instead of the url, then you would not have this problem.

See “Input API help” linked from the top of the Inputs page:

1 Like

Thanks Tim
I’m using GET not POST because for years I couldn’t get post to work.
However I’ve recently found out the reason is the headers - something vital missing in the docs
The header has to be:

‘content-type’: ‘application/x-www-form-urlencoded’

I intend to switch to POST but I thought I’d mention this in case anybody was having problems

I also use OpenEVSE to send to Emoncms and that uses GET (with apikey in the url) not POST so this could rattle around

1 Like

@glyn.hudson @TrystanLea

I’d raise a GitHub issue on this.

This may be host dependent.

I’ve raised one on OpenEVSE Github to change to POST
I’ll put one on OpenEVSE Github to add a synonym for apikey

I think Emoncms’s php needs to know it’s form encoded and not just json so it can decypher it properly.
I stress think…