From c82709084b32837956a86d2aa0ccdc4031f4dabf Mon Sep 17 00:00:00 2001 From: ari melody Date: Wed, 20 Aug 2025 12:41:55 +0100 Subject: [PATCH] add quick security check to requests --- main.go | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index edd4c87..9133958 100644 --- a/main.go +++ b/main.go @@ -515,7 +515,7 @@ func main() { fmt.Printf("Now serving at http://%s:%d\n", app.Config.Host, app.Config.Port) stdLog.Fatal( http.ListenAndServe(fmt.Sprintf("%s:%d", app.Config.Host, app.Config.Port), - HTTPLog(DefaultHeaders(mux)), + CheckRequest(&app, HTTPLog(DefaultHeaders(mux))), )) } @@ -562,6 +562,37 @@ var PoweredByStrings = []string{ "30 billion dollars in VC funding", } +func CheckRequest(app *model.AppState, next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // requests with empty user agents are considered suspicious. + // every browser supplies them; hell, even curl supplies them. + // i only ever see null user-agents paired with malicious requests, + // so i'm canning them altogether. + if len(r.Header.Get("User-Agent")) == 0 { + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + return + } + + // same with .php and awkward double-slash requests. + // obviously these don't affect me, but these tend to be lazy intrusion + // attempts. if that's what you're about, i don't want you on my site. + if strings.HasPrefix(r.URL.Path, "//") || + strings.HasSuffix(r.URL.Path, ".php") || + strings.HasSuffix(r.URL.Path, ".php7") { + http.NotFound(w, r) + fmt.Fprintf( + os.Stderr, + "WARN: Suspicious activity blocked: {\"path\":\"%s\",\"address\":\"%s\"}\n", + r.URL.Path, + r.RemoteAddr, + ) + return + } + + next.ServeHTTP(w, r) + }) +} + func DefaultHeaders(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Add("Server", "ari melody webbed site")