linx-server/csrf.go
mutantmonkey a7ae455ac1 strict referrer check improvements
* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
2015-10-12 00:28:04 -07:00

26 lines
492 B
Go

package main
import (
"net/http"
"strings"
)
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
p := strings.TrimSuffix(prefix, "/")
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
return false
}
for _, header := range whitelistHeaders {
if r.Header.Get(header) != "" {
return true
}
}
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
return false
}
return true
}