Add CSRF_PROTECTION environment variable where you can turn off the…

… robots protection (by setting the variable to `off`). It is enabled by default.
stefansundin · Jan 10, 2024 · c4f9a6d · c4f9a6d
1 parent a158ec1
commit c4f9a6d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/.env.example b/.env.example
@@ -8,7 +8,9 @@
 
 
 # Application configuration:
-REDIS_URL=redis://localhost:6379/3
+
+# Redis is optional
+#REDIS_URL=redis://localhost:6379/3
 
 #TWITTER_ACCESS_TOKEN=
 
@@ -25,6 +27,9 @@ REDIS_URL=redis://localhost:6379/3
 
 #IMGUR_CLIENT_ID=
 
+# CSRF protection is enabled by default
+#CSRF_PROTECTION=off
+
 # Get your own at https://report-uri.com/
 #CSP_REPORT_URI=
 

diff --git a/app.rb b/app.rb
@@ -9,9 +9,13 @@
   content_type :text
 end
 
+csrf_protection_enabled = ENV["CSRF_PROTECTION"] != "off"
+
 before %r{/(?:go|twitter|youtube|vimeo|instagram|periscope|soundcloud|mixcloud|twitch|speedrun|dailymotion|imgur|svtplay)} do
-  if !request.user_agent&.include?("Mozilla/") || !request.referer&.start_with?("#{request.base_url}/")
-    halt [403, "This endpoint should not be used by a robot. RSS Box is open source so you should instead reimplement the thing you need in your own application."]
+  if csrf_protection_enabled
+    if !request.user_agent&.include?("Mozilla/") || !request.referer&.start_with?("#{request.base_url}/")
+      halt [403, "This endpoint should not be used by a robot. RSS Box is open source so you should instead reimplement the thing you need in your own application.\n"]
+    end
   end
   halt [400, "Insufficient parameters."] if params[:q].empty?
 end