diff --git a/README.md b/README.md index f5f6708..e93f228 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,18 @@ origin_blacklist_simple_whitelist: origin_blacklist_block_offline_download: true ``` -**To use IP bans and rate limiting, enable** `forward_ip` **and pass a X-Real-IP header from your proxy to the bungeecord's websocket port** +### To stop people from using bookmarklets to load a client from a different URL onto your official URL via XXS, add these headers to NGINX: + +``` +add_header X-Frame-Options "SAMEORIGIN"; +add_header Referrer-Policy "strict-origin"; +add_header X-XSS-Protection "1; mode=block"; +add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data: blob:; connect-src 'self' ws: wss:; upgrade-insecure-requests"; +``` + +(not fully tested, excuse the scroll bar) + +### To use IP bans and rate limiting, enable `forward_ip` and pass a X-Real-IP header from your proxy to the bungeecord's websocket port Nginx example: add `proxy_set_header X-Real-IP $remote_addr` to your proxy configuration diff --git a/stable-download/origin_blacklist.txt b/stable-download/origin_blacklist.txt index 2afc396..c62ec48 100644 --- a/stable-download/origin_blacklist.txt +++ b/stable-download/origin_blacklist.txt @@ -22,6 +22,11 @@ .*gitpod\.io$ .*gsucks\.repl\.co$ .*builders.tools\.tk$ +.*lapx\..*$ + +# block ambiguous domains (excuse the regex skill issues) +^(?!g\.eags\.us).*eags\.us$ +^(?!g\.lax1dude\.net).*lax1dude\.net$ # replit-wildcard: .*repl(it)?\..{1,5}$