diag: log checkOrigin rejections

This commit is contained in:
portakal 2026-06-16 14:53:32 +03:00
commit da99cfdb60

View file

@ -80,12 +80,20 @@ export function checkOrigin(req, res, next) {
if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next(); if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next();
const origin = req.get('origin') || req.get('referer'); const origin = req.get('origin') || req.get('referer');
if (origin) { if (origin) {
const allowed = allowedHosts(req);
try { try {
const host = new URL(origin).host; const host = new URL(origin).host;
if (allowedHosts(req).has(host)) return next(); if (allowed.has(host)) return next();
} catch { } catch {
/* fall through */ /* fall through */
} }
log.warn('checkOrigin rejected', {
origin,
host: req.get('host'),
xForwardedHost: req.get('x-forwarded-host'),
allowed: [...allowed],
path: req.path,
});
return res.status(403).send('Bad origin'); return res.status(403).send('Bad origin');
} }
// No Origin/Referer header (e.g. some curl uploads) — allow; SameSite cookie still guards browsers. // No Origin/Referer header (e.g. some curl uploads) — allow; SameSite cookie still guards browsers.