Do not allow POST requests to /sitemaps

hannako · hannako · commit caf1587b347c · 2026-02-04T16:31:39.000Z
We get relatively frequent vulnerability scans to the sitemaps endpoint,
attempting to post data.

We should handle this.
diff --git a/lib/rummager/app.rb b/lib/rummager/app.rb
@@ -317,6 +317,12 @@ def get_type_from_request_body(request_body)
     serve_from_s3(sitemap)
   end
 
+  post "/sitemaps/*" do
+    headers = { "Allow" => "GET" }
+    body = { message: "Method Not Allowed: Use GET to access the sitemap." }.to_json
+    halt(405, headers, body)
+  end
+
   def serve_from_s3(key)
     o = Services.s3_client.get_object(bucket: ENV["AWS_S3_SITEMAPS_BUCKET_NAME"], key:)
 
diff --git a/spec/integration/app/sitemap_spec.rb b/spec/integration/app/sitemap_spec.rb
@@ -55,4 +55,13 @@
       end
     end
   end
+
+  describe "post /sitemaps/*" do
+    it "returns a 405 error message" do
+      post "/sitemaps/server/anything/stuff.php"
+      expect(last_response.status).to eq(405)
+      expect(last_response.headers["Allow"]).to eq("GET")
+      expect(last_response.body).to eq({ message: "Method Not Allowed: Use GET to access the sitemap." }.to_json)
+    end
+  end
 end
