checkHost returns a handler that wraps next such that it will only be called if the request's Host header matches a trustworthy/expected value. This helps to mitigate DNS rebinding attacks.
(r *http.Request)
| 923 | // a trustworthy/expected value. This helps to mitigate DNS |
| 924 | // rebinding attacks. |
| 925 | func (h adminHandler) checkHost(r *http.Request) error { |
| 926 | allowed := slices.ContainsFunc(h.allowedOrigins, func(u *url.URL) bool { |
| 927 | return r.Host == u.Host |
| 928 | }) |
| 929 | if !allowed { |
| 930 | return APIError{ |
| 931 | HTTPStatus: http.StatusForbidden, |
| 932 | Err: fmt.Errorf("host not allowed: %s", r.Host), |
| 933 | } |
| 934 | } |
| 935 | return nil |
| 936 | } |
| 937 | |
| 938 | // checkOrigin ensures that the Origin header, if |
| 939 | // set, matches the intended target; prevents arbitrary |