I'm building an RSS reader web app. It takes a list of urls for feeds, and returns links to items in the feed.<p>Due to CORS, the requests have to go through a server. The server also parses the rss feed and just returns a few bits of relevant information. The url, title, and date of the entries.<p>If I allow anyone to use my server to fetch any RSS feed they want.<p>What can I do to stop someone nefarious using my server as a proxy to build a list of links to evil/illegal things?<p>Other than building a database of trustworthy sites, which i'm not willing to do, I can't think of a solution.
Yes the best thing is to create a list of blacklisted domains, and don’t allow users to add a blacklisted domain.<p>Btw is rss a thing now? I was having an idea of creating an rss reader, but gave up because rss is almost dead,<p>Shoot me an email love to hear from you, arkruka@gmail.com
Usually the RSS feed is on the same domain, so you could simply whitelist automatically. If a user adds example.com/rss you'd add example.com to the whitelist. If you expect any kind of traffic you'd probably be refreshing the RSS feeds server-side on a schedule. You could then change all the URL's to signed URL's to use with your proxy (e.g. nginx securelink, ngx_http_hmac_secure_link_module and multiple other modules for nginx).