Suspicious HTTP Requests

developer · September 29, 2023, 6:19am

Hello. I have my Ghost installation behind Cloudflare, and, well to say the least the configuration is adequate. I noticed while tinkering with the configuration that when I visit the /ghost/#/signin path in my browser it makes several suspicious looking HTTP requests to various domains:

rsms.me
[redacted].algolia.net
[redacted].supabase.co - There are nearly 100 of these

These requests mostly appear to be downloading images or favicons for … maybe other Ghost websites? I tried blocking the URLs via Cloudflare but they went through anyway, but uBlock origin on the client was able to stop them from going through.

A few important details:

I’m using DNS over HTTPS on Firefox;
I do not have any unofficial themes or plugins installed;
The requests appear to be 200 and while rsms is downloading font files, the subpabase url is downloading and caching a bunch of webp files in my browser.;
I tried visiting the website on another device and the same requests were made, indicating this is not likely to be a browser or client error.
Referrer is listed as ghost.org

Does anyone have any idea what these requests are and how I might disable them for my website visitors?

markstos · October 2, 2023, 3:16pm

Does anyone have any idea what these requests are?

I don’t see the Algolia requests when I try the same URL request on my Ghost blog, that’s that’s a website search engine tool.

It seems supabase.co is used as part of featuring some other Ghost blogs from Ghost Explore on the admin dashboard.

rsme.me appears to a personal blog. Perhaps it’s related to a specific site that was recommended to you from Ghost Explore, somewhat randomly.

how I might disable them for my website visitors?

The page you visited it /ghost/#/signin is not a page for for your visitors, it’s where you login to your own admin area. If you are concern about third-party requests affecting your website visitors, you should check pages that the public visits, not your admin area.

The Configuration documentation on privacy documents a few things you can turn off if you wish:

Today, those include “update check”, “gravatar”, “RPC Ping” and “Structured Data”.

That page links to another page on Ghost Privacy which adds some details:

github.com

TryGhost/Ghost/blob/3d989eba2371235d41468f7699a08e46fc2b1e87/PRIVACY.md

# Privacy

This is a plain English summary of all of the components within Ghost which may affect your privacy in some way. Please keep in mind that if you use third party Themes or Apps with Ghost, there may be additional things not listed here.

Each of the items listed in this document can be disabled via Ghost's `config.[env].json` file. Check out the [configuration guide](https://ghost.org/docs/config/#privacy) for details.

## Official Services

Some official services for Ghost are enabled by default. These services connect to Ghost.org and are managed by the Ghost Foundation: the Non-Profit organisation which runs the Ghost project.


### Automatic Update Checks

When a new session is started, Ghost pings a Ghost.org service to check if the current version of Ghost is the latest version of Ghost. If an update is available, a notification on the About Page appears to let you know.

Ghost will collect basic anonymised usage statistics from your blog before sending the request to the service. You can disable collecting statistics using the [privacy configuration](https://ghost.org/docs/config/). You will still receive notifications from the service.

All of the information and code related to this service is available in the [update-check.js](https://github.com/TryGhost/Ghost/blob/master/core/server/update-check.js) file.

This file has been truncated. show original

But that link is out of date. A more accurate link is here: https://github.com/TryGhost/Ghost/blob/main/PRIVACY.md

@Kevin Could you forward a suggestion to the right person to update the Privacy config docs to use an evergreen link to PRIVACY.md?

@developer Also see this post: You don’t have to use the dashboard. You can bookmark other admin features and go straight there. Is there a way to disable / bypass the dashboard?

developer · October 3, 2023, 5:45pm

Thank you for your reply. After closer inspection it appears that the requests were being sent from the ghost explore tab, which apparently loads content even before the user is logged in. The search engine is the search function on the page.

Please note my previous statement regarding Unsplash was incorrect.