Gnous/mailcow
2
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

[Web] use SEC_FETCH_DEST header to block api requests

Browse Source
This commit is contained in:
FreddleSpl0it 2024-04-04 09:31:03 +02:00
parent c68a436a22
commit cd24057f1a
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
data/web/json_api.php
View File

@ -47,6 +47,12 @@ function api_log($_data) {
} }
} }
// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
header('HTTP/1.1 403 Forbidden');
exit;
}
if (isset($_GET['query'])) { if (isset($_GET['query'])) {
$query = explode('/', $_GET['query']); $query = explode('/', $_GET['query']);