Hide directory browsing on the static content (#85)

* Hide directory browsing on the static content

* update changelog

3 files changed, 14 insertions, 1 deletions

diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index 9898eec..29f9416 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- Hide the directory listings for Anubis' internal static content
 - Changed `--debug-x-real-ip-default` to `--use-remote-address`, getting the IP address from the request's socket address instead.
 - DroneBL lookups have been disabled by default
 
diff --git a/internal/headers.go b/internal/headers.go
index 9d6ba76..d73fa33 100644
--- a/internal/headers.go
+++ b/internal/headers.go
@@ -4,6 +4,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"strings"
 
 	"github.com/TecharoHQ/anubis"
 	"github.com/sebest/xff"
@@ -62,3 +63,14 @@ func XForwardedForToXRealIP(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+// Do not allow browsing directory listings in paths that end with /
+func NoBrowsing(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasSuffix(r.URL.Path, "/") {
+			http.NotFound(w, r)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/lib/anubis.go b/lib/anubis.go
index 83e04dd..8d5dac1 100644
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -119,7 +119,7 @@ func New(opts Options) (*Server, error) {
 	mux := http.NewServeMux()
 	xess.Mount(mux)
 
-	mux.Handle(anubis.StaticPath, internal.UnchangingCache(http.StripPrefix(anubis.StaticPath, http.FileServerFS(web.Static))))
+	mux.Handle(anubis.StaticPath, internal.UnchangingCache(internal.NoBrowsing(http.StripPrefix(anubis.StaticPath, http.FileServerFS(web.Static)))))
 
 	if opts.ServeRobotsTXT {
 		mux.HandleFunc("/robots.txt", func(w http.ResponseWriter, r *http.Request) {