Add Origin header checks
This commit is contained in:
parent
103949c61e
commit
2be240767c
|
@ -128,6 +128,15 @@ if CONFIG.geo_bypass
|
|||
end
|
||||
|
||||
before_all do |env|
|
||||
if CONFIG.domains && env.request.headers["Origin"]?
|
||||
origin = env.request.headers["Origin"]
|
||||
domains = CONFIG.domains.not_nil!
|
||||
|
||||
if !domains.includes? origin
|
||||
halt env, status_code: 403
|
||||
end
|
||||
end
|
||||
|
||||
env.response.headers["X-XSS-Protection"] = "1; mode=block;"
|
||||
env.response.headers["X-Content-Type-Options"] = "nosniff"
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@ class Config
|
|||
hmac_key: String?,
|
||||
full_refresh: Bool,
|
||||
geo_bypass: Bool,
|
||||
domains: Array(String)?,
|
||||
})
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue