Added very basic crsf protection, will add more

galen8183 · Aug 1, 2016 · f2c6e59 · f2c6e59
1 parent a0f083b
commit f2c6e59
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/common/config.go b/common/config.go
@@ -12,6 +12,7 @@ type Config struct {
 	AddGuildRedir string `json:"add_guild_redirect"`
 	BotToken      string `json:"bot_token"`
 	Redis         string `json:"redis"`
+	Host          string `json:"host"`
 }
 
 func LoadConfig(path string) (c *Config, err error) {

diff --git a/web/middleware.go b/web/middleware.go
@@ -9,6 +9,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strings"
 )
 
 // Will put a redis client in the context if available
@@ -118,6 +119,15 @@ func RequireSessionMiddleware(inner goji.Handler) goji.Handler {
 			}
 			return
 		}
+
+		origin := r.Header.Get("Origin")
+		if origin != "" {
+			if !strings.EqualFold(Config.Host, origin) {
+				http.Redirect(w, r, "/?err=bad_origin", http.StatusTemporaryRedirect)
+				return
+			}
+		}
+
 		inner.ServeHTTPC(ctx, w, r)
 	}
 	return goji.HandlerFunc(mw)