public/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-12-13 18:06:01 +00:00
Code Issues Releases Wiki Activity

[Web] use SEC_FETCH_DEST header to block api requests

Browse Source
This commit is contained in:
FreddleSpl0it
2024-04-04 09:31:03 +02:00
parent c68a436a22
commit cd24057f1a
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
data/web/json_api.php
View File

@@ -47,6 +47,12 @@ function api_log($_data) {
} }
} }
// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
header('HTTP/1.1 403 Forbidden');
exit;
}
if (isset($_GET['query'])) { if (isset($_GET['query'])) {
$query = explode('/', $_GET['query']); $query = explode('/', $_GET['query']);