admin/3dtours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10d2e0729735b090b79bef66b372054b54079eae
3dtours/backend/middlewares/securityMiddleware.js
T
admin 10d2e07297 Khởi tạo dự án 3dtours
2026-06-07 16:55:00 +07:00

56 lines
1.6 KiB
JavaScript
Raw Blame History

const { URL } = require('url');
/**
* Anti-hotlinking middleware. Ensures that requests for assets originate
* from the official app domain (SYSTEM_HOST). Blocks direct URL access.
*/
const verifyReferer = (req, res, next) => {
const referer = req.headers.referer;
const origin = req.headers.origin;
const systemHost = process.env.SYSTEM_HOST || 'http://localhost:5000';
let allowedOrigin;
try {
allowedOrigin = new URL(systemHost).origin;
} catch (e) {
allowedOrigin = systemHost;
}
const isMatch = (headerValue) => {
if (!headerValue) return false;
try {
return new URL(headerValue).origin === allowedOrigin;
} catch (e) {
return headerValue.startsWith(allowedOrigin);
}
};
const hasValidReferer = isMatch(referer);
const hasValidOrigin = isMatch(origin);
// Block request if both referer and origin are missing or do not match SYSTEM_HOST
if (!hasValidReferer && !hasValidOrigin) {
return res.status(403).json({
message: 'Access denied: Hotlinking detected or direct file access is prohibited.'
});
}
next();
};
/**
* Cache prevention middleware. Ensures that sensitive image assets are never
* cached by client browsers or intermediate proxies.
*/
const setNoCacheHeaders = (req, res, next) => {
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
res.setHeader('Pragma', 'no-cache');
res.setHeader('Expires', '0');
next();
};
module.exports = {
verifyReferer,
setNoCacheHeaders
};
Reference in New Issue View Git Blame Copy Permalink