summaryrefslogtreecommitdiff
path: root/internal/handlers
diff options
context:
space:
mode:
Diffstat (limited to 'internal/handlers')
-rw-r--r--internal/handlers/claudomator_proxy.go6
1 files changed, 5 insertions, 1 deletions
diff --git a/internal/handlers/claudomator_proxy.go b/internal/handlers/claudomator_proxy.go
index bfbbabc..f3f0cd2 100644
--- a/internal/handlers/claudomator_proxy.go
+++ b/internal/handlers/claudomator_proxy.go
@@ -13,7 +13,7 @@ import (
// targetURL, stripping the "/claudomator" prefix from the path. WebSocket
// upgrade requests are handled via raw TCP hijacking to support long-lived
// connections.
-func NewClaudomatorProxy(targetURL string) http.Handler {
+func NewClaudomatorProxy(targetURL, allowedOrigin string) http.Handler {
target, err := url.Parse(targetURL)
if err != nil {
panic("claudomator: invalid target URL: " + err.Error())
@@ -50,6 +50,10 @@ func NewClaudomatorProxy(targetURL string) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.EqualFold(r.Header.Get("Upgrade"), "websocket") {
+ if allowedOrigin != "" && r.Header.Get("Origin") != allowedOrigin {
+ http.Error(w, "forbidden", http.StatusForbidden)
+ return
+ }
proxyWebSocket(w, r, target)
return
}