Compare commits
2 Commits
bdabd56897
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| df7bc9ff71 | |||
| 98a6b5096c |
@@ -85,6 +85,11 @@ app.use(express.json());
|
|||||||
// Basic CSRF mitigation: require same-origin POSTs
|
// Basic CSRF mitigation: require same-origin POSTs
|
||||||
app.use((req, res, next) => {
|
app.use((req, res, next) => {
|
||||||
if (req.method !== 'POST') return next();
|
if (req.method !== 'POST') return next();
|
||||||
|
|
||||||
|
// MVP/dev: skip CSRF host checks entirely (reverse proxies + browser privacy features
|
||||||
|
// can omit/alter Origin/Referer and cause false blocks). Enforce in production.
|
||||||
|
if (!isProd) return next();
|
||||||
|
|
||||||
// Allow OAuth callbacks (they are GET in our app anyway) and health checks
|
// Allow OAuth callbacks (they are GET in our app anyway) and health checks
|
||||||
const origin = req.get('origin');
|
const origin = req.get('origin');
|
||||||
const referer = req.get('referer');
|
const referer = req.get('referer');
|
||||||
@@ -103,6 +108,10 @@ app.use((req, res, next) => {
|
|||||||
// Some clients omit Origin; allow Referer as fallback.
|
// Some clients omit Origin; allow Referer as fallback.
|
||||||
if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();
|
if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();
|
||||||
|
|
||||||
|
// In non-production MVP/dev environments, be permissive if headers are missing.
|
||||||
|
// (Notably some browsers/proxies can omit Origin/Referer on same-origin form posts.)
|
||||||
|
if (!isProd && !origin && !referer) return next();
|
||||||
|
|
||||||
return res.status(403).send('Blocked (CSRF)');
|
return res.status(403).send('Blocked (CSRF)');
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user