Merge pull request #174 from neon-mmd/patch-csrf-security-with-cors

🛠️ Provide CORS protection against CSRF attacks

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "websurfx"
-version = "0.16.0"
+version = "0.16.1"
 edition = "2021"
 description = "An open-source alternative to Searx that provides clean, ad-free, and organic results with incredible speed while keeping privacy and security in mind."
 repository = "https://github.com/neon-mmd/websurfx"
@@ -14,6 +14,7 @@ handlebars = { version = "4.3.6", features = ["dir_source"] }
 scraper = {version="*"}
 actix-web = {version="4.3.1", features = ["cookies"]}
 actix-files = {version="0.6.2"}
+actix-cors = {version="0.6.4"}
 serde_json = {version="*"}
 fake-useragent = {version="*"}
 env_logger = {version="0.10.0"}

src/lib.rs

@@ -12,8 +12,9 @@ use std::net::TcpListener;
 
 use crate::server::routes;
 
+use actix_cors::Cors;
 use actix_files as fs;
-use actix_web::{dev::Server, middleware::Logger, web, App, HttpServer};
+use actix_web::{dev::Server, http::header, middleware::Logger, web, App, HttpServer};
 use config::parser::Config;
 use handlebars::Handlebars;
 use handler::public_paths::public_path;
@@ -52,9 +53,20 @@ pub fn run(listener: TcpListener, config: Config) -> std::io::Result<Server> {
     let cloned_config_threads_opt: u8 = config.threads;
 
     let server = HttpServer::new(move || {
+        let cors: Cors = Cors::default()
+            .allow_any_origin()
+            .allowed_methods(vec!["GET"])
+            .allowed_headers(vec![
+                header::ORIGIN,
+                header::CONTENT_TYPE,
+                header::REFERER,
+                header::COOKIE,
+            ]);
+
         App::new()
             .app_data(handlebars_ref.clone())
             .app_data(web::Data::new(config.clone()))
+            .wrap(cors)
             .wrap(Logger::default()) // added logging middleware for logging.
             // Serve images and static files (css and js files).
             .service(