22 lines
1.2 KiB
TypeScript
22 lines
1.2 KiB
TypeScript
import type { RemotePattern } from '@astrojs/internal-helpers/remote';
|
|
import type * as vite from 'vite';
|
|
import type { AstroLogger } from '../core/logger/core.js';
|
|
/**
|
|
* Middleware that validates Sec-Fetch metadata headers on incoming requests
|
|
* to block cross-origin subresource requests (e.g. `<script>` tags from
|
|
* another origin loading dev server modules).
|
|
*
|
|
* Navigation requests (`Sec-Fetch-Mode: navigate`) are always allowed through
|
|
* because browsers enforce their own security model for top-level navigations.
|
|
*
|
|
* Requests without `Sec-Fetch-Site` (e.g. from non-browser clients like curl,
|
|
* or older browsers that don't send Fetch Metadata) are also allowed through
|
|
* to avoid breaking legitimate development workflows.
|
|
*
|
|
* When `security.allowedDomains` is configured, requests whose `Origin` header
|
|
* matches one of the allowed patterns are also permitted. This supports proxied
|
|
* dev server setups (e.g. ngrok, Cloudflare Tunnel) where the browser sees a
|
|
* different origin than the dev server itself.
|
|
*/
|
|
export declare function secFetchMiddleware(logger: AstroLogger, allowedDomains?: Partial<RemotePattern>[]): vite.Connect.NextHandleFunction;
|