'use strict';
|
|
const methods = require('methods');
|
const METHODS_NOT_ALLOWED = [ 'trace', 'track' ];
|
const safeHttpMethodsMap = {};
|
|
for (const method of methods) {
|
if (!METHODS_NOT_ALLOWED.includes(method)) {
|
safeHttpMethodsMap[method.toUpperCase()] = true;
|
}
|
}
|
|
// https://www.owasp.org/index.php/Cross_Site_Tracing
|
// http://jsperf.com/find-by-map-with-find-by-array
|
module.exports = () => {
|
return function notAllow(ctx, next) {
|
// ctx.method is upper case
|
if (!safeHttpMethodsMap[ctx.method]) {
|
ctx.throw(405);
|
}
|
return next();
|
};
|
};
|
