Prevent direct requests with X-Imgproxy-Secret header

config.go

@@ -70,6 +70,8 @@ type config struct {
 
 	Key  []byte
 	Salt []byte
+
+	Secret string
 }
 
 var conf = config{
@@ -101,6 +103,8 @@ func init() {
 	hexFileConfig(&conf.Key, *keypath)
 	hexFileConfig(&conf.Salt, *saltpath)
 
+	strEnvConfig(&conf.Secret, "IMGPROXY_SECRET")
+
 	if len(conf.Key) == 0 {
 		log.Fatalln("Key is not defined")
 	}

server.go

@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"compress/gzip"
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -116,9 +117,25 @@ func respondWithError(rw http.ResponseWriter, status int, err error, msg string)
 	rw.Write([]byte(msg))
 }
 
+func repondWithForbidden(rw http.ResponseWriter) {
+	logResponse(403, "Invalid secret")
+
+	rw.WriteHeader(403)
+	rw.Write([]byte("Forbidden"))
+}
+
+func checkSecret(s string) bool {
+	return len(conf.Secret) == 0 || subtle.ConstantTimeCompare([]byte(s), []byte(conf.Secret)) == 1
+}
+
 func (h httpHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	log.Printf("GET: %s\n", r.URL.RequestURI())
 
+	if !checkSecret(r.Header.Get("X-Imgproxy-Secret")) {
+		repondWithForbidden(rw)
+		return
+	}
+
 	imgURL, procOpt, err := parsePath(r)
 	if err != nil {
 		respondWithError(rw, 404, err, "Invalid image url")