home to your local SPACEGIRL 💫
arimelody.space
add quick security check to requests
+32
-1
+32
-1
main.go
+32
-1
main.go
···
515
515
fmt.Printf("Now serving at http://%s:%d\n", app.Config.Host, app.Config.Port)
516
516
stdLog.Fatal(
517
517
http.ListenAndServe(fmt.Sprintf("%s:%d", app.Config.Host, app.Config.Port),
518
-
HTTPLog(DefaultHeaders(mux)),
518
+
CheckRequest(&app, HTTPLog(DefaultHeaders(mux))),
519
519
))
520
520
}
521
521
···
560
560
"the love of creating",
561
561
"not for the sake of art; not for the sake of money; we like painting naked people",
562
562
"30 billion dollars in VC funding",
563
+
}
564
+
565
+
func CheckRequest(app *model.AppState, next http.Handler) http.Handler {
566
+
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
567
+
// requests with empty user agents are considered suspicious.
568
+
// every browser supplies them; hell, even curl supplies them.
569
+
// i only ever see null user-agents paired with malicious requests,
570
+
// so i'm canning them altogether.
571
+
if len(r.Header.Get("User-Agent")) == 0 {
572
+
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
573
+
return
574
+
}
575
+
576
+
// same with .php and awkward double-slash requests.
577
+
// obviously these don't affect me, but these tend to be lazy intrusion
578
+
// attempts. if that's what you're about, i don't want you on my site.
579
+
if strings.HasPrefix(r.URL.Path, "//") ||
580
+
strings.HasSuffix(r.URL.Path, ".php") ||
581
+
strings.HasSuffix(r.URL.Path, ".php7") {
582
+
http.NotFound(w, r)
583
+
fmt.Fprintf(
584
+
os.Stderr,
585
+
"WARN: Suspicious activity blocked: {\"path\":\"%s\",\"address\":\"%s\"}\n",
586
+
r.URL.Path,
587
+
r.RemoteAddr,
588
+
)
589
+
return
590
+
}
591
+
592
+
next.ServeHTTP(w, r)
593
+
})
563
594
}
564
595
565
596
func DefaultHeaders(next http.Handler) http.Handler {