Skip to content
This repository has been archived by the owner on Feb 1, 2024. It is now read-only.

Restrict /tile Endpoint to Allowed Hosts Only #791

Merged
merged 3 commits into from Sep 10, 2019
Merged

Restrict /tile Endpoint to Allowed Hosts Only #791

merged 3 commits into from Sep 10, 2019

Conversation

rajadain
Copy link
Contributor

@rajadain rajadain commented Sep 9, 2019
edited

Overview

To discourage tile hotlinking, this adds a check of the HTTP referer field to allow only those in ALLOWED_HOSTS.

This reuses previously created methods for checking the referer field. Leaflet VectorGrid extension doesn't support making requests with custom headers, which is why we're not also reusing the X-OAR-Client-Key check here.

Also adds some tests for these new permissions.

Connects #735

Demo

image

Testing Instructions

  • Check out this branch and visit :6543/
    • Ensure you can still see the tiles

Checklist

  • fixup! commits have been squashed
  • CI passes after rebase
  • CHANGELOG.md updated with summary of features or fixes, following Keep a Changelog guidelines

@jwalgran
Copy link
Contributor

Looking at this now.

jwalgran
jwalgran approved these changes Sep 10, 2019
View reviewed changes
Copy link
Contributor

@jwalgran jwalgran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed. Nice, clear implementation. I made a suggestion that will allow the unit test to assert 200 instead of 404.

src/django/api/tests.py Show resolved Hide resolved
@jwalgran jwalgran assigned rajadain and unassigned jwalgran Sep 10, 2019
@rajadain
Limit tile access to allowed hosts
dccfa17 
This reuses previously created methods for checking the
referer field. Leaflet VectorGrid extension doesn't support
making requests with custom headers, which is why we're not
also reusing the X-OAR-Client-Key check here.
@rajadain
Copy link
Contributor Author

Thanks for reviewing and for suggesting override_switch. It looks much cleaner with it. Will merge when green.

@rajadain rajadain merged commit 04daf67 into develop Sep 10, 2019
@rajadain rajadain deleted the tt/tile-lockdown-2 branch September 10, 2019 16:47
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jwalgran jwalgran jwalgran approved these changes

Assignees

@rajadain rajadain

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rajadain @jwalgran