From cd24057f1ad410c2f6117b481af137e8b27b25d3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 4 Apr 2024 09:31:03 +0200
Subject: [PATCH] [Web] use SEC_FETCH_DEST header to block api requests

---
 data/web/json_api.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 079e79ce8..2458e6624 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -47,6 +47,12 @@ function api_log($_data) {
   }
 }
 
+// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
+if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
+  header('HTTP/1.1 403 Forbidden');
+  exit;
+}
+
 if (isset($_GET['query'])) {
 
   $query = explode('/', $_GET['query']);