d0zingcat/cors-anywhere
1
0
Fork 0
mirror of https://github.com/d0zingcat/cors-anywhere.git synced 2026-05-13 23:16:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7271e29f21974213296bf4fa3b3c263ce43c7b51
cors-anywhere/server.js
bulk88 7271e29f21 remove Heroku specific Req headers from being sent to Origin 
-saves bytes, and avoids triggering IDS/WAF alarms since browser finger
 printing will prove these headers are unnatural and on SSL must be a MITM
 attack

-leave x-forwarded-* intact since they can be used to block CORS proxy
 abuse if the not-CORS origin webmaster really has to block the proxy
 and they are not unique to Heroku platform
2020-09-28 06:19:06 -04:00

53 lines
1.8 KiB
JavaScript
Raw Blame History

// Listen on a specific host via the HOST environment variable
var host = process.env.HOST || '0.0.0.0';
// Listen on a specific port via the PORT environment variable
var port = process.env.PORT || 8080;
// Grab the blacklist from the command-line so that we can update the blacklist without deploying
// again. CORS Anywhere is open by design, and this blacklist is not used, except for countering
// immediate abuse (e.g. denial of service). If you want to block all origins except for some,
// use originWhitelist instead.
var originBlacklist = parseEnvList(process.env.CORSANYWHERE_BLACKLIST);
var originWhitelist = parseEnvList(process.env.CORSANYWHERE_WHITELIST);
function parseEnvList(env) {
if (!env) {
return [];
}
return env.split(',');
}
// Set up rate-limiting to avoid abuse of the public CORS Anywhere server.
var checkRateLimit = require('./lib/rate-limit')(process.env.CORSANYWHERE_RATELIMIT);
var cors_proxy = require('./lib/cors-anywhere');
cors_proxy.createServer({
originBlacklist: originBlacklist,
originWhitelist: originWhitelist,
requireHeader: ['origin', 'x-requested-with'],
checkRateLimit: checkRateLimit,
removeHeaders: [
'cookie',
'cookie2',
// Strip Heroku-specific headers
'x-heroku-queue-wait-time',
'x-heroku-queue-depth',
'x-heroku-dynos-in-use',
'x-request-start',
'x-request-id',
'via',
'connect-time',
'total-route-time',
// Other Heroku added debug headers
// 'x-forwarded-for',
// 'x-forwarded-proto',
// 'x-forwarded-port',
],
redirectSameOrigin: true,
httpProxyOptions: {
// Do not add X-Forwarded-For, etc. headers, because Heroku already adds it.
xfwd: false,
},
}).listen(port, host, function() {
console.log('Running CORS Anywhere on ' + host + ':' + port);
});
Reference in New Issue View Git Blame Copy Permalink