security: restrict the setting of CORS headers to inv.nadeko.net related domains
All checks were successful
CI / build (push) Successful in 5m12s
All checks were successful
CI / build (push) Successful in 5m12s
security: restrict the setting of CORS headers to inv.nadeko.net related domains
This commit is contained in:
parent
89c880bb27
commit
939f4da3f7
1 changed files with 16 additions and 4 deletions
20
main.go
20
main.go
|
@ -321,16 +321,27 @@ func beforeProxy(next http.HandlerFunc) http.HandlerFunc {
|
||||||
return func(w http.ResponseWriter, req *http.Request) {
|
return func(w http.ResponseWriter, req *http.Request) {
|
||||||
defer panicHandler(w)
|
defer panicHandler(w)
|
||||||
|
|
||||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
||||||
w.Header().Set("Access-Control-Allow-Headers", "*")
|
|
||||||
w.Header().Set("Access-Control-Max-Age", "1728000")
|
|
||||||
|
|
||||||
// To prevent accessing from the bare IP address
|
// To prevent accessing from the bare IP address
|
||||||
if req.Host == "" || net.ParseIP(strings.Split(req.Host, ":")[0]) != nil {
|
if req.Host == "" || net.ParseIP(strings.Split(req.Host, ":")[0]) != nil {
|
||||||
w.WriteHeader(444)
|
w.WriteHeader(444)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Only allow requests from origin inv.nadeko.net
|
||||||
|
// Why? Because I don't want anyone to use this proxy for their own purposes.
|
||||||
|
// Hardcoded because I'm lazy lol!
|
||||||
|
origin := req.URL.Query().Get("Origin")
|
||||||
|
if origin == "https://inv.nadeko.net" || origin == "https://materialious.nadeko.net" {
|
||||||
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||||
|
w.Header().Set("Access-Control-Allow-Headers", "*")
|
||||||
|
w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
|
||||||
|
w.Header().Set("Access-Control-Max-Age", "1728000")
|
||||||
|
} else {
|
||||||
|
w.WriteHeader(401)
|
||||||
|
io.WriteString(w, "Only requests coming from inv.nadeko.net are allowed.")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if h3s {
|
if h3s {
|
||||||
w.Header().Set("Alt-Svc", "h3=\":8443\"; ma=86400")
|
w.Header().Set("Alt-Svc", "h3=\":8443\"; ma=86400")
|
||||||
}
|
}
|
||||||
|
@ -341,6 +352,7 @@ func beforeProxy(next http.HandlerFunc) http.HandlerFunc {
|
||||||
}
|
}
|
||||||
|
|
||||||
if req.Method != "GET" && req.Method != "HEAD" {
|
if req.Method != "GET" && req.Method != "HEAD" {
|
||||||
|
w.WriteHeader(405)
|
||||||
io.WriteString(w, "Only GET and HEAD requests are allowed.")
|
io.WriteString(w, "Only GET and HEAD requests are allowed.")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue