self-hosted/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-25 02:29:32 +02:00
Code Issues Releases Activity

[Web] use SEC_FETCH_DEST header instead of Referer to block api requests

Browse Source
This commit is contained in:
FreddleSpl0it 2024-04-03 11:43:48 +02:00
parent 0d09c86c12
commit 3aee2b6cf5
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
data/web/json_api.php
View File

@ -47,12 +47,10 @@ function api_log($_data) {
}
}
// deny requests from /SOGo locations
if (isset($_SERVER['HTTP_REFERER'])) {
if (strpos(strtolower($_SERVER['HTTP_REFERER']), '/sogo') !== false) {
header('HTTP/1.1 403 Forbidden');
exit;
}
// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
header('HTTP/1.1 403 Forbidden');
exit;
}
if (isset($_GET['query'])) {