Merge pull request #174 from neon-mmd/patch-csrf-security-with-cors

🛠️ Provide CORS protection against CSRF attacks

Cargo.lock

@@ -19,6 +19,21 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "actix-cors"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b340e9cfa5b08690aae90fb61beb44e9b06f44fe3d0f93781aaa58cfba86245e"
+dependencies = [
+ "actix-utils",
+ "actix-web",
+ "derive_more",
+ "futures-util",
+ "log",
+ "once_cell",
+ "smallvec 1.11.0",
+]
+
 [[package]]
 name = "actix-files"
 version = "0.6.2"
@@ -190,7 +205,7 @@ dependencies = [
  "serde_urlencoded 0.7.1",
  "smallvec 1.11.0",
  "socket2",
- "time 0.3.24",
+ "time 0.3.25",
  "url 2.4.0",
 ]
 
@@ -583,7 +598,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e859cd57d0710d9e06c381b550c06e76992472a8c6d527aecd2fc673dcc231fb"
 dependencies = [
  "percent-encoding 2.3.0",
- "time 0.3.24",
+ "time 0.3.25",
  "version_check",
 ]
 
@@ -801,9 +816,9 @@ dependencies = [
 
 [[package]]
 name = "deranged"
-version = "0.3.6"
+version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8810e7e2cf385b1e9b50d68264908ec367ba642c96d02edfe61c39e88e2a3c01"
+checksum = "7684a49fb1af197853ef7b2ee694bc1f5b4179556f1e5710e1760c5db6f5e929"
 
 [[package]]
 name = "derive_more"
@@ -3000,9 +3015,9 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.24"
+version = "0.3.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b79eabcd964882a646b3584543ccabeae7869e9ac32a46f6f22b7a5bd405308b"
+checksum = "b0fdd63d58b18d663fbdf70e049f00a22c8e42be082203be7f26589213cd75ea"
 dependencies = [
  "deranged",
  "itoa 1.0.9",
@@ -3519,8 +3534,9 @@ dependencies = [
 
 [[package]]
 name = "websurfx"
-version = "0.16.0"
+version = "0.16.1"
 dependencies = [
+ "actix-cors",
  "actix-files",
  "actix-web",
  "async-trait",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "websurfx"
-version = "0.16.0"
+version = "0.16.1"
 edition = "2021"
 description = "An open-source alternative to Searx that provides clean, ad-free, and organic results with incredible speed while keeping privacy and security in mind."
 repository = "https://github.com/neon-mmd/websurfx"
@@ -14,6 +14,7 @@ handlebars = { version = "4.3.6", features = ["dir_source"] }
 scraper = {version="*"}
 actix-web = {version="4.3.1", features = ["cookies"]}
 actix-files = {version="0.6.2"}
+actix-cors = {version="0.6.4"}
 serde_json = {version="*"}
 fake-useragent = {version="*"}
 env_logger = {version="0.10.0"}

src/lib.rs

@@ -12,8 +12,9 @@ use std::net::TcpListener;
 
 use crate::server::routes;
 
+use actix_cors::Cors;
 use actix_files as fs;
-use actix_web::{dev::Server, middleware::Logger, web, App, HttpServer};
+use actix_web::{dev::Server, http::header, middleware::Logger, web, App, HttpServer};
 use config::parser::Config;
 use handlebars::Handlebars;
 use handler::public_paths::public_path;
@@ -52,9 +53,20 @@ pub fn run(listener: TcpListener, config: Config) -> std::io::Result<Server> {
     let cloned_config_threads_opt: u8 = config.threads;
 
     let server = HttpServer::new(move || {
+        let cors: Cors = Cors::default()
+            .allow_any_origin()
+            .allowed_methods(vec!["GET"])
+            .allowed_headers(vec![
+                header::ORIGIN,
+                header::CONTENT_TYPE,
+                header::REFERER,
+                header::COOKIE,
+            ]);
+
         App::new()
             .app_data(handlebars_ref.clone())
             .app_data(web::Data::new(config.clone()))
+            .wrap(cors)
             .wrap(Logger::default()) // added logging middleware for logging.
             // Serve images and static files (css and js files).
             .service(