Prevent direct requests with X-Imgproxy-Secret header

2025-12-01 23:11:31 +02:00 · 2017-07-02 03:25:08 +06:00
parent 69b607cd98
commit fa5cf7045e
2 changed files with 21 additions and 0 deletions
--- a/server.go
+++ b/server.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"compress/gzip"
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -116,9 +117,25 @@ func respondWithError(rw http.ResponseWriter, status int, err error, msg string)
 	rw.Write([]byte(msg))
 }

+func repondWithForbidden(rw http.ResponseWriter) {
+	logResponse(403, "Invalid secret")
+
+	rw.WriteHeader(403)
+	rw.Write([]byte("Forbidden"))
+}
+
+func checkSecret(s string) bool {
+	return len(conf.Secret) == 0 || subtle.ConstantTimeCompare([]byte(s), []byte(conf.Secret)) == 1
+}
+
 func (h httpHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	log.Printf("GET: %s\n", r.URL.RequestURI())

+	if !checkSecret(r.Header.Get("X-Imgproxy-Secret")) {
+		repondWithForbidden(rw)
+		return
+	}
+
 	imgURL, procOpt, err := parsePath(r)
 	if err != nil {
 		respondWithError(rw, 404, err, "Invalid image url")