referrer header POST check/rejection

server.js

@@ -50,6 +50,20 @@ const express  = require('express')
 	app.use(helmet());
 	app.use(csrf());
 
+	//referer header check
+	app.use((req, res, next) => {
+		if (req.method !== 'POST') {
+			return next();
+		}
+		if (!req.headers.referer || !req.headers.referer.startsWith('https://fatpeople.lol')) {
+			return res.status(403).render('message', {
+				'title': 'Forbidden',
+				'message': 'Invalid or missing "Referer" header. Are you posting from the correct URL?'
+			})
+		}
+		next();
+	})
+
 	// use pug view engine
 	app.set('view engine', 'pug');
 	app.set('views', path.join(__dirname, 'views/pages'));
@@ -72,7 +86,7 @@ const express  = require('express')
 		console.error(err.stack)
 		return res.status(500).render('message', {
 			'title': 'Internal Server Error',
-			'redirect': req.header('Referer') || '/'
+			'redirect': req.headers.referer || '/'
 		})
 	})