From 4e445a7207d69dd75667b7d66820e125c5789c07 Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Fri, 26 Aug 2022 23:35:58 +0200 Subject: [PATCH] Prevent replay attacks with TLS1.3 0-RTT --- app/main.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 3c45ea8..cdb7205 100644 --- a/app/main.py +++ b/app/main.py @@ -8,6 +8,7 @@ from typing import Any from typing import MutableMapping from typing import Type +import fastapi import httpx import starlette from asgiref.typing import ASGI3Application @@ -165,7 +166,15 @@ class CustomMiddleware: return None -app = FastAPI(docs_url=None, redoc_url=None) +def _check_0rtt_early_data(request: Request) -> None: + """Disable TLS1.3 0-RTT requests for non-GET.""" + if request.headers.get("Early-Data", None) == "1" and request.method != "GET": + raise fastapi.HTTPException(status_code=425, detail="Too early") + + +app = FastAPI( + docs_url=None, redoc_url=None, dependencies=[Depends(_check_0rtt_early_data)] +) app.mount( "/custom_emoji", StaticFiles(directory="data/custom_emoji"),