[cheschire]

"Aha, so an overzealous IT network decided to block the request before it even reached my server."

What classifies this as an "overzealous" act of network configuration? There may be a subjectively legitimate reason the user's network was configured this way.

"I had no idea I was ever going to get anything different."

There's an entire list of HTTP status codes. That was your clue that you would get something different. You made a decision to not have handling for them all. Not implementing handling for 418 is understandable, but forbidden and service unavailable responses are common enough.

[richbell]

> What classifies this as an "overzealous" act of network configuration? There may be a subjectively legitimate reason the user's network was configured this way.

Worked at a large FI.

Our corporate firewall used to block any website or payload that contained the word "hack". At one point, the security team decided to roll out a change that blocked all verbs except GET and POST without telling anyone. I could go on.

[thedougd]

And probably replies with a 200 and a blocked page.

What you tend to see is the web firewall is administered by someone who has only one duty (manage this firewall) and very narrow set of skills (certification in this appliance). They probably have a very shallow understanding of the http protocol.

[ballenf]

And the nearby Burger Shack wondered why their online orders plummeted.

[bornfreddy]

They were using PUT instead of POST for orders?

[erinaceousjones]

Wow, that's whack. I couldn't PUT up working in a place with such a hackneyed firewall limiting my OPTIONS so much, really raises my hackles. I'd HEAD out the door so fast in such a ramsackle establishment, I wouldn't even ask for a reference, I'd just kindly ask that they DELETE my number

[ntrz]

> Our corporate firewall used to block any website or payload that contained the word "hack".

How else are you going to stop employees from downloading and playing NetHack at work?

[jeroenhd]

Allowing this person's gift card shop but not allowing POST requests is clearly overzealous in my book.

I understand that some companies want to block certain websites. However, if you're in such a restricted network, I wouldn't expect a website like "Thankbox" to work at all.

An overzealous filter like this prevents normal POST requests (logging in to websites, etc.), lets through random websites (gift card website) and allows all manner of data exfiltration and other nasty stuff. The goal is laudable, the implementation is laughable.

[jjoonathan]

There's a subjectively legitimate reason to consider blocking POST (but not GET) requests ruder things than "overzealous."

[adev_]

> There's a subjectively legitimate reason to consider blocking POST (but not GET)

No, just no.

In a world where many website use GraphQL (POST request with content) (or gRPC) that's complete garbage decision.

- This kind of brain-dead admin decision is exactly what bring protocol abuse: people would just use GET query with a ton of parameters and violate semantic just to avoid stupid middle box problems. Same goes with TLS which is used everywhere (even in VPN) just to bypass the crappiness of corporate firewall and stupid managerial decisions.

[jwolfe]

The rest of the sentence that you left off in your quote is saying that blocking POST requests is worse than overzealous. You are in agreement with them.

[concordDance]

What kind of reason? You can have plenty of communication via GET requests.