fix: block non-http(s) schemes, sanitize API_KEY backslash, improve viewport error message

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 12:48:18 +02:00
parent 6dc0001f9d
commit 6973522c45
3 changed files with 12 additions and 1 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -64,6 +64,10 @@ curl "http://host/api?key=your-secret-key&url=https://example.com"
 Set `BLOCK_PRIVATE_IPS=true` to reject requests to LAN, loopback, and cloud metadata IPs.
 Recommended when hosting publicly. Default is off (allows local/LAN addresses).

+Note: DNS rebinding attacks can bypass this protection (attacker-controlled DNS can return a public IP
+during validation and a private IP when Chrome actually connects). Full protection requires a network-level
+egress firewall.
+
 ## Caveats

 - `web/index.php` has a `var_dump($cmd)` debug statement left in `http2pic.class.php:181` - remove before shipping.