Removed the catch all route, and added comment about security issue

2026-01-11 18:54:31 +00:00 · 2017-10-22 09:31:18 -07:00
parent 2d4ccf289c
commit 29c6237caf
2 changed files with 11 additions and 5 deletions
--- a/revel/skeleton/app/init.go
+++ b/revel/skeleton/app/init.go
@@ -38,9 +38,8 @@ func init() {
 }

 // HeaderFilter adds common security headers
-// TODO turn this into revel.HeaderFilter
-// should probably also have a filter for CSRF
-// not sure if it can go in the same filter or not
+// There is a full implementation of a CSRF filter in
+// https://github.com/revel/modules/tree/master/csrf
 var HeaderFilter = func(c *revel.Controller, fc []revel.Filter) {
 	c.Response.Out.Header().Add("X-Frame-Options", "SAMEORIGIN")
 	c.Response.Out.Header().Add("X-XSS-Protection", "1; mode=block")
--- a/revel/skeleton/conf/routes
+++ b/revel/skeleton/conf/routes
@@ -15,5 +15,12 @@ GET     /favicon.ico                            404
 # Map static resources from the /app/public folder to the /public path
 GET     /public/*filepath                       Static.Serve("public")

-# Catch all
-*       /:controller/:action                    :controller.:action
+# Catch all, this will route any request into the controller path
+#
+#                    **** WARNING ****
+# Enabling this exposes any controller and function to the web.
+# ** This is a serious security issue if used online **
+#
+# For rapid development uncomment the following to add new controller.action endpoints
+# without having to add them to the routes table.
+# *       /:controller/:action                    :controller.:action