Disalow x-forwarded headers in CORS redirect
This commit is contained in:
parent
788a13d7e3
commit
f3cfc4c3c9
16
server.js
16
server.js
|
@ -168,14 +168,14 @@ if (enableCorsProxy) {
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const headers = JSON.parse(JSON.stringify(req.headers));
|
const headers = JSON.parse(JSON.stringify(req.headers));
|
||||||
delete headers['x-csrf-token'];
|
const headersToRemove = [
|
||||||
delete headers['host'];
|
'x-csrf-token', 'host', 'referer', 'origin', 'cookie',
|
||||||
delete headers['referer'];
|
'x-forwarded-for', 'x-forwarded-protocol', 'x-forwarded-proto',
|
||||||
delete headers['origin'];
|
'x-forwarded-host', 'x-real-ip', 'sec-fetch-mode',
|
||||||
delete headers['cookie'];
|
'sec-fetch-site', 'sec-fetch-dest',
|
||||||
delete headers['sec-fetch-mode'];
|
];
|
||||||
delete headers['sec-fetch-site'];
|
|
||||||
delete headers['sec-fetch-dest'];
|
headersToRemove.forEach(header => delete headers[header]);
|
||||||
|
|
||||||
const bodyMethods = ['POST', 'PUT', 'PATCH'];
|
const bodyMethods = ['POST', 'PUT', 'PATCH'];
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue