add quick security check to requests

main.go

@@ -515,7 +515,7 @@ func main() {
     fmt.Printf("Now serving at http://%s:%d\n", app.Config.Host, app.Config.Port)
     stdLog.Fatal(
         http.ListenAndServe(fmt.Sprintf("%s:%d", app.Config.Host, app.Config.Port), 
-        HTTPLog(DefaultHeaders(mux)),
+        CheckRequest(&app, HTTPLog(DefaultHeaders(mux))),
     ))
 }
 
@@ -562,6 +562,37 @@ var PoweredByStrings = []string{
     "30 billion dollars in VC funding",
 }
 
+func CheckRequest(app *model.AppState, next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        // requests with empty user agents are considered suspicious.
+        // every browser supplies them; hell, even curl supplies them.
+        // i only ever see null user-agents paired with malicious requests,
+        // so i'm canning them altogether.
+        if len(r.Header.Get("User-Agent")) == 0 {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        // same with .php and awkward double-slash requests.
+        // obviously these don't affect me, but these tend to be lazy intrusion
+        // attempts. if that's what you're about, i don't want you on my site.
+        if strings.HasPrefix(r.URL.Path, "//") ||
+        strings.HasSuffix(r.URL.Path, ".php") ||
+        strings.HasSuffix(r.URL.Path, ".php7") {
+            http.NotFound(w, r)
+            fmt.Fprintf(
+                os.Stderr,
+                "WARN: Suspicious activity blocked: {\"path\":\"%s\",\"address\":\"%s\"}\n",
+                r.URL.Path,
+                r.RemoteAddr,
+            )
+            return
+        }
+
+        next.ServeHTTP(w, r)
+    })
+}
+
 func DefaultHeaders(next http.Handler) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         w.Header().Add("Server", "ari melody webbed site")