Neat, thanks for raising awareness of this issue. I don't think it makes a lot of sense for the web server case (as you said, using TLS would fix it and that seems like the bigger concern), but if someone is building something like an electron app with a local server component then they ought to use this.<p>FWIW I think you can check just the Host header, it's always going to be present and can't be set by an attacker - referrer doesn't add anything extra and attackers can force requests with blank referrers.<p>Also all your example regexes are correctly anchored but I can see a developer shooting themselves in the foot with that - I'd maybe add some warnings around it or even programmatically enforce anchored regexes.<p>Anyhow thanks for the Show HN!