添加严格的域名访问限制

This commit is contained in:
2025-09-16 12:08:27 +08:00
parent acb717c342
commit 18f22fc796
7 changed files with 322 additions and 4 deletions
+31
View File
@@ -38,6 +38,11 @@ import {
logout,
type UserRole
} from "~/api/login/auth.server";
import {
validateRequest,
isProtectedRoute,
logSecurityEvent
} from "~/middleware/host-validation";
// 定义需要高级权限的路径
export const developerOnlyPaths = [
@@ -70,6 +75,32 @@ export async function loader({ request }: LoaderFunctionArgs) {
const url = new URL(request.url);
const pathname = url.pathname;
// ==================== Host头验证 ====================
// 1. 首先进行Host头验证,防止Host Header注入攻击
const hostValidation = validateRequest(request);
if (!hostValidation.valid) {
// 记录安全事件
logSecurityEvent('host_validation_failed', hostValidation.error || 'Unknown validation error', request);
// 对于受保护的路由,直接返回403错误
if (isProtectedRoute(pathname)) {
throw new Response("Forbidden: Invalid Host header", {
status: 403,
statusText: "Forbidden"
});
}
// 对于普通路由,重定向到错误页面
console.error('❌ Host验证失败:', hostValidation.error);
throw new Response("Forbidden: Invalid request headers", {
status: 403,
statusText: "Forbidden"
});
}
// console.log('✅ Host验证通过,继续处理请求');
// ==================== Host头验证结束 ====================
// 排除不需要登录验证的路径
const publicPaths = ['/login', '/favicon.ico', '/callback'];
const isPublicPath = publicPaths.some(path => pathname.startsWith(path));