From caf1587b347ca60d883fee26d46fe630720e61eb Mon Sep 17 00:00:00 2001
From: Jessica Jones <jessica.jones@digital.cabinet-office.gov.uk>
Date: Wed, 4 Feb 2026 16:00:51 +0000
Subject: [PATCH] Do not allow POST requests to /sitemaps

We get relatively frequent vulnerability scans to the sitemaps endpoint,
attempting to post data.

We should handle this.
---
 lib/rummager/app.rb                  | 6 ++++++
 spec/integration/app/sitemap_spec.rb | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/lib/rummager/app.rb b/lib/rummager/app.rb
index ef4d30e0e..eacd1288b 100644
--- a/lib/rummager/app.rb
+++ b/lib/rummager/app.rb
@@ -317,6 +317,12 @@ def get_type_from_request_body(request_body)
     serve_from_s3(sitemap)
   end
 
+  post "/sitemaps/*" do
+    headers = { "Allow" => "GET" }
+    body = { message: "Method Not Allowed: Use GET to access the sitemap." }.to_json
+    halt(405, headers, body)
+  end
+
   def serve_from_s3(key)
     o = Services.s3_client.get_object(bucket: ENV["AWS_S3_SITEMAPS_BUCKET_NAME"], key:)
 
diff --git a/spec/integration/app/sitemap_spec.rb b/spec/integration/app/sitemap_spec.rb
index ef162cc74..586d05456 100644
--- a/spec/integration/app/sitemap_spec.rb
+++ b/spec/integration/app/sitemap_spec.rb
@@ -55,4 +55,13 @@
       end
     end
   end
+
+  describe "post /sitemaps/*" do
+    it "returns a 405 error message" do
+      post "/sitemaps/server/anything/stuff.php"
+      expect(last_response.status).to eq(405)
+      expect(last_response.headers["Allow"]).to eq("GET")
+      expect(last_response.body).to eq({ message: "Method Not Allowed: Use GET to access the sitemap." }.to_json)
+    end
+  end
 end