From 93ff8eb19aa4ec76e97d400aaa6647be55c51741 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 23 Nov 2021 12:58:01 +0100 Subject: [PATCH] Improve dev mode API security --- api/router.go | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/api/router.go b/api/router.go index c1bd6d1..463986d 100644 --- a/api/router.go +++ b/api/router.go @@ -4,11 +4,14 @@ import ( "context" "errors" "net/http" + "net/url" "path" "strings" "sync" "time" + "github.com/safing/portbase/utils" + "github.com/gorilla/mux" "github.com/safing/portbase/log" @@ -21,6 +24,11 @@ var ( // main server and lock server = &http.Server{} handlerLock sync.RWMutex + + allowedDevCORSOrigins = []string{ + "127.0.0.1", + "localhost", + } ) // RegisterHandler registers a handler with the API endoint. @@ -139,6 +147,12 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error { } // Add security headers. + w.Header().Set("Referrer-Policy", "no-referrer") + w.Header().Set("X-Content-Type-Options", "nosniff") + w.Header().Set("X-Frame-Options", "deny") + w.Header().Set("X-XSS-Protection", "1; mode=block") + w.Header().Set("X-DNS-Prefetch-Control", "off") + // Add CSP Header in production mode. if !devMode() { w.Header().Set( "Content-Security-Policy", @@ -147,13 +161,12 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error { "style-src 'self' 'unsafe-inline'; "+ "img-src 'self' data:", ) - w.Header().Set("Referrer-Policy", "no-referrer") - w.Header().Set("X-Content-Type-Options", "nosniff") - w.Header().Set("X-Frame-Options", "deny") - w.Header().Set("X-XSS-Protection", "1; mode=block") - w.Header().Set("X-DNS-Prefetch-Control", "off") - } else { - w.Header().Set("Access-Control-Allow-Origin", "*") + } else if origin := r.Header.Get("Origin"); origin != "" { + // Allow cross origin requests from localhost in dev mode. + if u, err := url.Parse(origin); err == nil && + utils.StringInSlice(allowedDevCORSOrigins, u.Host) { + w.Header().Set("Access-Control-Allow-Origin", origin) + } } // Handle request.