添加严格的域名访问限制
This commit is contained in:
@@ -38,6 +38,11 @@ import {
|
||||
logout,
|
||||
type UserRole
|
||||
} from "~/api/login/auth.server";
|
||||
import {
|
||||
validateRequest,
|
||||
isProtectedRoute,
|
||||
logSecurityEvent
|
||||
} from "~/middleware/host-validation";
|
||||
|
||||
// 定义需要高级权限的路径
|
||||
export const developerOnlyPaths = [
|
||||
@@ -70,6 +75,32 @@ export async function loader({ request }: LoaderFunctionArgs) {
|
||||
const url = new URL(request.url);
|
||||
const pathname = url.pathname;
|
||||
|
||||
// ==================== Host头验证 ====================
|
||||
// 1. 首先进行Host头验证,防止Host Header注入攻击
|
||||
const hostValidation = validateRequest(request);
|
||||
if (!hostValidation.valid) {
|
||||
// 记录安全事件
|
||||
logSecurityEvent('host_validation_failed', hostValidation.error || 'Unknown validation error', request);
|
||||
|
||||
// 对于受保护的路由,直接返回403错误
|
||||
if (isProtectedRoute(pathname)) {
|
||||
throw new Response("Forbidden: Invalid Host header", {
|
||||
status: 403,
|
||||
statusText: "Forbidden"
|
||||
});
|
||||
}
|
||||
|
||||
// 对于普通路由,重定向到错误页面
|
||||
console.error('❌ Host验证失败:', hostValidation.error);
|
||||
throw new Response("Forbidden: Invalid request headers", {
|
||||
status: 403,
|
||||
statusText: "Forbidden"
|
||||
});
|
||||
}
|
||||
|
||||
// console.log('✅ Host验证通过,继续处理请求');
|
||||
// ==================== Host头验证结束 ====================
|
||||
|
||||
// 排除不需要登录验证的路径
|
||||
const publicPaths = ['/login', '/favicon.ico', '/callback'];
|
||||
const isPublicPath = publicPaths.some(path => pathname.startsWith(path));
|
||||
|
||||
Reference in New Issue
Block a user