self-hosted/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-01-10 04:18:10 +02:00
Code Issues Releases Activity

[Web] use SEC_FETCH_DEST header to block api requests

Browse Source
This commit is contained in:
FreddleSpl0it 2024-04-04 09:31:03 +02:00
parent c68a436a22
commit cd24057f1a
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
data/web/json_api.php
View File

@ -47,6 +47,12 @@ function api_log($_data) {
}
}
// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
header('HTTP/1.1 403 Forbidden');
exit;
}
if (isset($_GET['query'])) {
$query = explode('/', $_GET['query']);