Khởi tạo dự án 3dtours

backend/middlewares/securityMiddleware.js

@@ -0,0 +1,55 @@
+const { URL } = require('url');
+
+/**
+ * Anti-hotlinking middleware. Ensures that requests for assets originate
+ * from the official app domain (SYSTEM_HOST). Blocks direct URL access.
+ */
+const verifyReferer = (req, res, next) => {
+    const referer = req.headers.referer;
+    const origin = req.headers.origin;
+    const systemHost = process.env.SYSTEM_HOST || 'http://localhost:5000';
+
+    let allowedOrigin;
+    try {
+        allowedOrigin = new URL(systemHost).origin;
+    } catch (e) {
+        allowedOrigin = systemHost;
+    }
+
+    const isMatch = (headerValue) => {
+        if (!headerValue) return false;
+        try {
+            return new URL(headerValue).origin === allowedOrigin;
+        } catch (e) {
+            return headerValue.startsWith(allowedOrigin);
+        }
+    };
+
+    const hasValidReferer = isMatch(referer);
+    const hasValidOrigin = isMatch(origin);
+
+    // Block request if both referer and origin are missing or do not match SYSTEM_HOST
+    if (!hasValidReferer && !hasValidOrigin) {
+        return res.status(403).json({ 
+            message: 'Access denied: Hotlinking detected or direct file access is prohibited.' 
+        });
+    }
+
+    next();
+};
+
+/**
+ * Cache prevention middleware. Ensures that sensitive image assets are never
+ * cached by client browsers or intermediate proxies.
+ */
+const setNoCacheHeaders = (req, res, next) => {
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    res.setHeader('Pragma', 'no-cache');
+    res.setHeader('Expires', '0');
+    next();
+};
+
+module.exports = {
+    verifyReferer,
+    setNoCacheHeaders
+};