summaryrefslogtreecommitdiffstats
path: root/src/invidious.cr
diff options
context:
space:
mode:
Diffstat (limited to 'src/invidious.cr')
-rw-r--r--src/invidious.cr12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/invidious.cr b/src/invidious.cr
index 22643016..f38a1343 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -106,6 +106,18 @@ spawn do
end
before_all do |env|
+ # CSRF
+ if Kemal.config.ssl || CONFIG.https_only
+ host = env.request.headers["Host"]?
+
+ if (env.request.headers["Origin"]?.try &.== host) ||
+ (env.request.headers["Referer"]?.try &.== host)
+ # All good!
+ else
+ halt env, status_code: 403, response: "Failed CSRF check"
+ end
+ end
+
if env.request.cookies.has_key? "SID"
headers = HTTP::Headers.new
headers["Cookie"] = env.request.headers["Cookie"]
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-18 19:26:52 +0000