1 files changed, 43 insertions, 0 deletions

diff --git a/src/http/csrf.go b/src/http/csrf.go
new file mode 100644
index 0000000..a64e37e
--- /dev/null
+++ b/src/http/csrf.go
@@ -0,0 +1,43 @@
+package http
+
+import (
+	"errors"
+	"net"
+	"net/http"
+	"net/url"
+
+	"github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil"
+)
+
+func checkCSRF(r *http.Request, publicURL *url.URL) error {
+
+	if ipStr, _, err := net.SplitHostPort(r.Host); err == nil {
+		if ip := net.ParseIP(ipStr); ip != nil && ip.IsLoopback() {
+			return nil
+		}
+	}
+
+	refererURL, err := url.Parse(r.Referer())
+	if err != nil {
+		return errors.New("invalid Referer")
+	}
+
+	if refererURL.Scheme != publicURL.Scheme ||
+		refererURL.Host != publicURL.Host {
+		return errors.New("invalid Referer")
+	}
+
+	return nil
+}
+
+func (a *api) checkCSRFMiddleware(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+
+		if err := checkCSRF(r, a.params.PublicURL); err != nil {
+			apiutil.BadRequest(rw, r, errors.New("invalid Referer"))
+			return
+		}
+
+		h.ServeHTTP(rw, r)
+	})
+}