Jesus Galaz Reyes
--- a/server.js

+ 15

− 0
+++ b/server.js

+ 15

− 0
 @@ -2,6 +2,7 @@ const express = require('express');
 @@ -2,6 +2,7 @@ const express = require('express');
 const path = require('path');
 const connectDB = require('./mongodb');
 const session = require('express-session');
+const url = require('url');
 const app = express();
 @@ -9,6 +10,20 @@ const app = express();
 @@ -9,6 +10,20 @@ const app = express();
 app.use(express.json());
 app.use(express.static(path.join(__dirname, 'public')));
+// Allow only localhost for SSRF protection
+function validateLocalhost(req, res, next) {
+  const remoteAddress = req.connection.remoteAddress;
+  // Allow requests only from localhost (IPv4 and IPv6)
+  if (remoteAddress !== '127.0.0.1' && remoteAddress !== '::1') {
+    return res.status(403).send('External requests are forbidden');
+  }
+  next();
+}
+app.use(validateLocalhost);  // Add the middleware
 // Session configuration
 app.use(
  session({