Flag to enforce API requests over SSL

2026-01-18 15:18:04 +00:00 · 2013-05-20 07:33:26 +02:00 · 2013-05-20 07:33:26 +02:00 · 44d030e88a
commit 44d030e88a
parent fe0c142de7
2 changed files with 11 additions and 1 deletions
--- a/config.default.json
+++ b/config.default.json
@ -48,7 +48,8 @@
    "report": []
  },
  "api": {
-    "allowAnonymous": true
+    "allowAnonymous": true,
+    "requireSSL": false
  },
  "blacklist": {
    "html": ["processform.cgi", "habbo.com"],
--- a/lib/middleware.js
+++ b/lib/middleware.js
@ -189,6 +189,15 @@ module.exports = {

      if (req.url.indexOf('/api') === 0) {
        req.isApi = true;
+
+        if (config.api.requireSSL) {
+          if (!req.secure && (String(req.headers['x-forwarded-proto']).toLowerCase() !== "https") ) {
+            res.status(403); // forbidden
+            res.json({ error: 'All API requests must be made over SSL/TLS' });
+            return;
+          }
+        }
+
        if (req.query.api_key) {
          apiKey = req.query.api_key;
        } else if (req.headers.authorization) {