🛠️ fix: add code to prevent csrf attacks using cors (#172)

This commit is contained in:
neon_arch 2023-08-03 17:44:13 +03:00
parent 5b4e7c75c0
commit bef8956da6
3 changed files with 30 additions and 1 deletions

View file

@ -12,8 +12,9 @@ use std::net::TcpListener;
use crate::server::routes;
use actix_cors::Cors;
use actix_files as fs;
use actix_web::{dev::Server, middleware::Logger, web, App, HttpServer};
use actix_web::{dev::Server, http::header, middleware::Logger, web, App, HttpServer};
use config::parser::Config;
use handlebars::Handlebars;
use handler::public_paths::public_path;
@ -50,9 +51,20 @@ pub fn run(listener: TcpListener, config: Config) -> std::io::Result<Server> {
let handlebars_ref: web::Data<Handlebars> = web::Data::new(handlebars);
let server = HttpServer::new(move || {
let cors: Cors = Cors::default()
.allow_any_origin()
.allowed_methods(vec!["GET"])
.allowed_headers(vec![
header::ORIGIN,
header::CONTENT_TYPE,
header::REFERER,
header::COOKIE,
]);
App::new()
.app_data(handlebars_ref.clone())
.app_data(web::Data::new(config.clone()))
.wrap(cors)
.wrap(Logger::default()) // added logging middleware for logging.
// Serve images and static files (css and js files).
.service(