// checkReferer returns an error if the referer of the HTTP request in the // given context is not allowed. // // The allowed referer is the appspot domain for the application, such as: // my-project-id.appspot.com // and all domains are accepted when running locally on dev app server. func checkReferer(c endpoints.Context) error { if appengine.IsDevAppServer() { return nil } r := c.HTTPRequest().Referer() u, err := url.Parse(r) if err != nil { c.Infof("malformed referer detected: %q", r) return endpoints.NewUnauthorizedError("couldn't extract domain from referer") } if u.Host != appengine.AppID(c)+".appspot.com" { c.Infof("unauthorized referer detected: %q", r) return endpoints.NewUnauthorizedError("referer unauthorized") } return nil }