It's not unusual to use regex for Referer
or Origin
headers validation.
Often it is needed for setting the X-Frame-Options
header (ClickJacking protection) or Cross-Origin Resource Sharing.
The most common errors with this configuration are:
Notice: by default Gixy doesn't check regexes for 3rd-party origins matching. You can pass a list of trusted domains by using the option
--origins-domains example.com,foo.bar
"Eazy"-breezy:
if
directives that are in charge of $http_origin
or $http_referer
check;Misconfiguration example:
if ($http_origin ~* ((^https://www\.yandex\.ru)|(^https://ya\.ru)/)) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
}
TODO(buglloc): cover typical regex-writing problems TODO(buglloc): Regex Ninja?
Referer
request header, then, possibly (not 100%), you could use ngx_http_referer_module;map
directive without any regex at all.