From 939f4da3f74ccfc81a885d5e3d6341756b3a84e6 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 12 Nov 2024 09:23:30 -0300 Subject: [PATCH] security: restrict the setting of CORS headers to inv.nadeko.net related domains security: restrict the setting of CORS headers to inv.nadeko.net related domains --- main.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/main.go b/main.go index cee7c20..b8a1417 100644 --- a/main.go +++ b/main.go @@ -321,16 +321,27 @@ func beforeProxy(next http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, req *http.Request) { defer panicHandler(w) - w.Header().Set("Access-Control-Allow-Origin", "*") - w.Header().Set("Access-Control-Allow-Headers", "*") - w.Header().Set("Access-Control-Max-Age", "1728000") - // To prevent accessing from the bare IP address if req.Host == "" || net.ParseIP(strings.Split(req.Host, ":")[0]) != nil { w.WriteHeader(444) return } + // Only allow requests from origin inv.nadeko.net + // Why? Because I don't want anyone to use this proxy for their own purposes. + // Hardcoded because I'm lazy lol! + origin := req.URL.Query().Get("Origin") + if origin == "https://inv.nadeko.net" || origin == "https://materialious.nadeko.net" { + w.Header().Set("Access-Control-Allow-Origin", "*") + w.Header().Set("Access-Control-Allow-Headers", "*") + w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS") + w.Header().Set("Access-Control-Max-Age", "1728000") + } else { + w.WriteHeader(401) + io.WriteString(w, "Only requests coming from inv.nadeko.net are allowed.") + return + } + if h3s { w.Header().Set("Alt-Svc", "h3=\":8443\"; ma=86400") } @@ -341,6 +352,7 @@ func beforeProxy(next http.HandlerFunc) http.HandlerFunc { } if req.Method != "GET" && req.Method != "HEAD" { + w.WriteHeader(405) io.WriteString(w, "Only GET and HEAD requests are allowed.") return }