1 files changed, 26 insertions, 4 deletions

diff --git a/web/renderer/index.js b/web/renderer/index.js
index 497d245..2829275 100644
--- a/web/renderer/index.js
+++ b/web/renderer/index.js
@@ -46,13 +46,13 @@ let cache = async ( req, res ) => {
     console.log( "caching page: " + target );
     fs.writeFileSync( file, html );
 
-    await page.close();
     const headers = r.headers();
+    await page.close();
 
     res.writeHead( 200, {
-      'content-type': headers['content-type'],
-      'date': headers['date'],
-      'etag': headers['etag'],
+      'content-type': headers['content-type'] || "text/html",
+      'date': headers['date'] || "",
+      'etag': headers['etag'] || "",
     } );
     res.end( html );
 
@@ -62,12 +62,34 @@ let cache = async ( req, res ) => {
   }
 }
 
+let allowedExt = [
+  ".html",
+  ".xml",
+  ".css",
+  ".ico",
+  ".js",
+  "/"
+];
+
 app.get( "/", cache );
 app.get( /\/$/, cache );
 app.get( /#$/, cache );
 app.get( /^\/[^.]*$/, cache );
 app.use( async ( req, res ) => {
   let url = new URL( req.url, host );
+  let found = 0;
+  for( let ext of allowedExt ) {
+    if( url.pathname.endsWith( ext ) ) {
+      found = 1;
+      break;
+    }
+  }
+
+  if( !found ) {
+    res.status( 403 );
+    return res.end( "forbidden" );
+  }
+
   const r = await fetch( url.href );
 
   if( r.ok ) {