6ff181facb
This should protect against cross-site request forgery without the need for cookies. It continues to allow requests with Linx-Delete-Key, Linx-Expiry, or Linx-Randomize headers as these will not be set in the case of cross-site requests.
25 lines
464 B
Go
25 lines
464 B
Go
package main
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
|
|
for _, header := range whitelistHeaders {
|
|
if r.Header.Get(header) != "" {
|
|
return true
|
|
}
|
|
}
|
|
|
|
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, prefix) {
|
|
return false
|
|
}
|
|
|
|
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, prefix) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|