Prevent non-local origins via CORS rule.

Byron · Byron · commit d7e42bdb36d5 · 2026-01-24T16:03:35.000+01:00
diff --git a/crates/but-server/SECURITY.md b/crates/but-server/SECURITY.md
@@ -13,24 +13,7 @@ The server uses an Axum middleware (`localhost_only_middleware`) that:
 3. Accepts the connection if it's from localhost
 4. Rejects the connection with HTTP 403 Forbidden if it's from any other address
 
-## Testing
-
-To verify the security middleware:
-
-1. Start the server:
-   ```bash
-   cargo run -p but-server
-   ```
-
-2. Test from localhost (should succeed):
-   ```bash
-   curl -i http://127.0.0.1:6978/
-   ```
-
-3. Attempt to connect from a non-localhost address (should fail with 403):
-   - This can only be tested if the server is bound to a non-localhost address
-   - By default, the server binds to 127.0.0.1 which already prevents remote connections at the TCP level
-   - The middleware provides defense-in-depth even if the bind address is changed
+When this passes, it additionally validates the origin header is set and comes from `http://localhost:`.
 
 ## Configuration
 
@@ -46,3 +29,7 @@ Rejected connections are logged with a warning:
 ```
 Rejected non-localhost connection from: <ip_address>
 ```
+
+# Considerations for Electron
+
+Should the `but-server` be used in Electron, we will make sure that it's completely locked down and only usable by the Electron process it's bundled with.
diff --git a/crates/but-server/src/lib.rs b/crates/but-server/src/lib.rs
@@ -22,7 +22,7 @@ use serde::{Deserialize, Serialize};
 use serde_json::json;
 use std::net::SocketAddr;
 use tokio::sync::Mutex;
-use tower_http::cors::{Any, CorsLayer};
+use tower_http::cors::{self, CorsLayer};
 
 mod projects;
 use crate::projects::ActiveProjects;
@@ -71,9 +71,14 @@ async fn localhost_only_middleware(
 
 pub async fn run() {
     let cors = CorsLayer::new()
-        .allow_methods(Any)
-        .allow_origin(Any)
-        .allow_headers(Any);
+        .allow_methods(cors::Any)
+        .allow_origin(cors::AllowOrigin::predicate(|origin, _parts| {
+            origin
+                .as_bytes()
+                .strip_prefix(b"http://localhost")
+                .is_some_and(|rest| rest.first().is_none_or(|b| *b == b':'))
+        }))
+        .allow_headers(cors::Any);
 
     let config_dir = but_path::app_config_dir().unwrap();
     let app_data_dir = but_path::app_data_dir().unwrap();
@@ -124,7 +129,7 @@ pub async fn run() {
         .layer(cors)
         // Middleware to ensure only localhost connections are accepted.
         // Note: In Axum, layers are applied in reverse order, so this middleware
-        // runs BEFORE CORS processing, ensuring security checks happen first.
+        // runs BEFORE CORS processing, ensuring this security checks happen first.
         .layer(axum::middleware::from_fn(localhost_only_middleware))
         .with_state(state);
 
