From 892eb88138f9e0daf838866de740c8ce80188415 Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@zoso.dev>
Date: Mon, 21 Apr 2025 06:18:20 -0700
Subject: [PATCH] Restrict server header size and quantity. Allow all localhost
 requests without token limit.

---
 src/bin/nano-pow.sh | 2 +-
 src/bin/server.ts   | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/bin/nano-pow.sh b/src/bin/nano-pow.sh
index cc56e44..b9f930d 100755
--- a/src/bin/nano-pow.sh
+++ b/src/bin/nano-pow.sh
@@ -10,7 +10,7 @@ NANO_POW_LOGS="$NANO_POW_HOME"/logs;
 mkdir -p "$NANO_POW_LOGS";
 if [ "$1" = '--server' ]; then
 	shift;
-	node "$SCRIPT_DIR"/server.js >> "$NANO_POW_LOGS"/nano-pow-server-$(date -I).log 2>&1 & echo "$!" > "$NANO_POW_HOME"/server.pid;
+	node "$SCRIPT_DIR"/server.js --max-http-header-size=1024 >> "$NANO_POW_LOGS"/nano-pow-server-$(date -I).log 2>&1 & echo "$!" > "$NANO_POW_HOME"/server.pid;
 	sleep 0.1;
 	if [ "$(ps | grep $(cat $NANO_POW_HOME/server.pid))" = '' ]; then
 		cat $(ls -td "$NANO_POW_LOGS"/* | head -n1);
diff --git a/src/bin/server.ts b/src/bin/server.ts
index b98d580..caef175 100755
--- a/src/bin/server.ts
+++ b/src/bin/server.ts
@@ -31,6 +31,7 @@ function log (...args: any[]): void {
 
 process.title = 'NanoPow Server'
 const MAX_BODY_SIZE = 256
+const MAX_HEADER_COUNT = 32
 const MAX_IDLE_TIME = 5000
 const MAX_REQUEST_COUNT = 10
 const MAX_REQUEST_SIZE = 1024
@@ -137,7 +138,7 @@ const server = http.createServer((req, res): void => {
 		return
 	}
 	const client = requests.get(req.socket.remoteAddress)
-	if (process.send != null || client == null || client.time < Date.now() - MAX_REQUEST_TIME) {
+	if (process.send != null || req.socket.remoteAddress === '::1' || client == null || client.time < Date.now() - MAX_REQUEST_TIME) {
 		requests.set(req.socket.remoteAddress, { tokens: MAX_REQUEST_COUNT, time: Date.now() })
 	} else {
 		if (--client.tokens <= 0) {
@@ -194,6 +195,7 @@ Full documentation: <https://www.npmjs.com/package/nano-pow>
 
 server.headersTimeout = MAX_IDLE_TIME
 server.keepAliveTimeout = MAX_IDLE_TIME
+server.maxHeadersCount = MAX_HEADER_COUNT
 
 server.on('connection', (c: Socket): void => {
 	c.setTimeout(MAX_IDLE_TIME, () => c.destroy())
-- 
2.34.1