From 3aee2b6cf567222b6ea962f1a4d17160a283bb82 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 3 Apr 2024 11:43:48 +0200
Subject: [PATCH] [Web] use SEC_FETCH_DEST header instead of Referer to block
 api requests

---
 data/web/json_api.php | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 0240626a..9e165b68 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -47,12 +47,10 @@ function api_log($_data) {
   }
 }
 
-// deny requests from /SOGo locations
-if (isset($_SERVER['HTTP_REFERER'])) {
-  if (strpos(strtolower($_SERVER['HTTP_REFERER']), '/sogo') !== false) {
-    header('HTTP/1.1 403 Forbidden');
-    exit;
-  }
+// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
+if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
+  header('HTTP/1.1 403 Forbidden');
+  exit;
 }
 
 if (isset($_GET['query'])) {