Files
pleskSaas/lib/api/security.ts

20 lines
531 B
TypeScript

import { env } from "@/lib/env";
export function assertSameOrigin(request: Request) {
const origin = request.headers.get("origin");
const host =
request.headers.get("x-forwarded-host") ?? request.headers.get("host");
if (!origin || !host) {
throw new Error("Invalid request origin");
}
const originUrl = new URL(origin);
const appUrl = new URL(env.appUrl);
const allowedHosts = new Set([appUrl.host, host]);
if (!allowedHosts.has(originUrl.host)) {
throw new Error("Cross-site POST blocked");
}
}