new: added CORS origin and security warnings to API

src/api/mod.rs

@@ -43,12 +43,29 @@ fn config(cfg: &mut web::ServiceConfig) {
 pub(crate) async fn start(opts: Options) -> Result<(), Error> {
     let address = opts.api.unwrap();
 
+    if !address.contains(':') {
+        return Err("no port specified, please specify a port in the format host:port".to_string());
+    }
+
     log::info!("starting api on http://{} ...", &address);
 
+    if !address.contains("localhost") && !address.contains("127.0.0.1") {
+        log::warn!("this server does not provide any authentication and you are binding it to an external address, use with caution!");
+    }
+
+    if opts.api_allowed_origin.to_lowercase() == "any" {
+        log::warn!(
+            "Any CORS origin policy specified, this server will accept requests from any origin"
+        );
+    }
+
     let state = Arc::new(RwLock::new(Sessions::new(opts.concurrency)));
 
     HttpServer::new(move || {
-        let cors = Cors::permissive();
+        let cors = match opts.api_allowed_origin.to_lowercase().as_str() {
+            "any" => Cors::permissive(),
+            _ => Cors::permissive().allowed_origin(&opts.api_allowed_origin),
+        };
 
         App::new()
             .wrap(cors)

src/options.rs

@@ -27,6 +27,9 @@ pub(crate) struct Options {
     /// Enable the REST API and bind it to the specified address:port.
     #[clap(long)]
     pub api: Option<String>,
+    /// Use a more restrictive CORS policy by only allowing requests from the specified origin.
+    #[clap(long, default_value = "127.0.0.1")]
+    pub api_allowed_origin: String,
 
     /// Constant, filename, glob expression as @/some/path/*.txt, permutations as #min-max:charset / #min-max or range as [min-max] / [n, n, n]
     #[clap(short = 'U', long, visible_alias = "payloads")]