Use POST for the /api/apply-wg-config endpoint and check the Content-Type Header for all non-GET requests to prevent CSRF attacks

This commit is contained in:
Marcus Wichelmann 2022-07-08 20:02:18 +02:00
parent f43c59c043
commit 7c7081a3ba
No known key found for this signature in database
GPG key ID: D9FC1B92E557C80D
3 changed files with 47 additions and 28 deletions

19
handler/middlewares.go Normal file
View file

@ -0,0 +1,19 @@
package handler
import (
"github.com/labstack/echo/v4"
"net/http"
)
// ContentTypeJson checks that the requests have the Content-Type header set to "application/json".
// This helps against CSRF attacks.
func ContentTypeJson(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
contentType := c.Request().Header.Get("Content-Type")
if contentType != "application/json" {
return c.JSON(http.StatusBadRequest, jsonHTTPResponse{false, "Only JSON allowed"})
}
return next(c)
}
}