This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
createUser(): fix check for localhost login when using local proxies
Testing the socket address for 127.0.0.1 isn't enough when the API is accessible behind a local proxy (like a Tor onion service). By checking the "Host" HTTP header field the client the access is further restricted. This is still not bullet proof if an attacker fakes the "Host" field. Likely we need more proof like a process PID which can be verified by deCONZ.
- Loading branch information
Showing 1 changed file with 7 additions and 1 deletion.