strictly enforce Host and Origin headers

Previously the Origin header was only checked if you specified an origin
with --origin on startup and when you didn't we just printed a warning
that this might make you vulnerable to CSRF attacks.

I implemented it this way since I wanted GitPad to be runnable without
any command-line options, but such warnings are of course suboptimal
for security since they can simply be ignored.

This commit changes this behavior so that the Origin header is always
checked for POST requests. If you just run "gitpad" the enforced origin
defaults to http://127.0.0.1:<port>.  Additionally this commit also
enforces an exact Host header (extracted from the Origin) to prevent DNS
rebinding attacks.

0 files changed, 0 insertions, 0 deletions