linx-server/csrf.go
mutantmonkey 6ff181facb add strict referrer check for POST uploads
This should protect against cross-site request forgery without the need
for cookies. It continues to allow requests with Linx-Delete-Key,
Linx-Expiry, or Linx-Randomize headers as these will not be set in the
case of cross-site requests.
2015-10-08 20:27:04 -07:00

25 lines
464 B
Go

package main
import (
"net/http"
"strings"
)
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
for _, header := range whitelistHeaders {
if r.Header.Get(header) != "" {
return true
}
}
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, prefix) {
return false
}
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, prefix) {
return false
}
return true
}