diff --git a/backend/serverSideScript.js b/backend/serverSideScript.js
index 52c2303..d7e76aa 100644
--- a/backend/serverSideScript.js
+++ b/backend/serverSideScript.js
@@ -23,6 +23,7 @@ if(customvar2) {
var mongoURL = customvar1.mongoURL;
var dbname = customvar1.dbname;
var defaultURL = customvar1.defaultURL;
+var hasRefererSecurity = (customvar1.enableRefererSecurity === undefined) ? true : customvar1.enableRefererSecurity;
function antiXSS(string) {
return string.replace(/&/g,"&").replace(//g,">").replace(/"/g,""").replace(/'/g,"'");
@@ -100,10 +101,10 @@ if (href.match(/^\/admin\/?$/)) {
return;
}
var baseURL = (req.socket.encrypted ? "https" : "http") + "://" + (req.headers.host ? req.headers.host : req.socket.localAddress);
- if(req.headers.referer && (req.headers.referer + "/").substring(0,baseURL.length + 1) != (baseURL + "/")) {
+ if(hasRefererSecurity && (req.headers.referer + "/").substring(0,baseURL.length + 1) != (baseURL + "/")) {
formatTemplate("index.html", {
"url": "",
- "shorturl": "CSRF detected"
+ "shorturl": "Invalid referrer (CSRF?)"
}, function(data) {
res.writeHead(400, {"Content-Type": "text/html; charset=utf-8"});
res.end(data);
diff --git a/backend/shortener-config.json b/backend/shortener-config.json
index 23f9b3c..e22c9f8 100644
--- a/backend/shortener-config.json
+++ b/backend/shortener-config.json
@@ -1,5 +1,6 @@
{
"mongoURL": "mongodb://localhost/shortenerdb",
"database": "shortenerdb",
- "defaultURL": "https://svrjs.org"
+ "defaultURL": "https://svrjs.org",
+ "enableRefererSecurity": true
}