From 29c6237caf8b990cc196f8bfedff5add7c123657 Mon Sep 17 00:00:00 2001 From: NotZippy Date: Sun, 22 Oct 2017 09:31:18 -0700 Subject: [PATCH] Removed the catch all route, and added comment about security issue --- revel/skeleton/app/init.go | 5 ++--- revel/skeleton/conf/routes | 11 +++++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/revel/skeleton/app/init.go b/revel/skeleton/app/init.go index 0b9714f..b4e614f 100644 --- a/revel/skeleton/app/init.go +++ b/revel/skeleton/app/init.go @@ -38,9 +38,8 @@ func init() { } // HeaderFilter adds common security headers -// TODO turn this into revel.HeaderFilter -// should probably also have a filter for CSRF -// not sure if it can go in the same filter or not +// There is a full implementation of a CSRF filter in +// https://github.com/revel/modules/tree/master/csrf var HeaderFilter = func(c *revel.Controller, fc []revel.Filter) { c.Response.Out.Header().Add("X-Frame-Options", "SAMEORIGIN") c.Response.Out.Header().Add("X-XSS-Protection", "1; mode=block") diff --git a/revel/skeleton/conf/routes b/revel/skeleton/conf/routes index 35e99fa..ba93d61 100644 --- a/revel/skeleton/conf/routes +++ b/revel/skeleton/conf/routes @@ -15,5 +15,12 @@ GET /favicon.ico 404 # Map static resources from the /app/public folder to the /public path GET /public/*filepath Static.Serve("public") -# Catch all -* /:controller/:action :controller.:action +# Catch all, this will route any request into the controller path +# +# **** WARNING **** +# Enabling this exposes any controller and function to the web. +# ** This is a serious security issue if used online ** +# +# For rapid development uncomment the following to add new controller.action endpoints +# without having to add them to the routes table. +# * /:controller/:action :controller.:action