HACKER Q&A
📣 shadowfaxRodeo

How to stop people using my RSS reader web app as a proxy for evil sites


I'm building an RSS reader web app. It takes a list of urls for feeds, and returns links to items in the feed.

Due to CORS, the requests have to go through a server. The server also parses the rss feed and just returns a few bits of relevant information. The url, title, and date of the entries.

If I allow anyone to use my server to fetch any RSS feed they want.

What can I do to stop someone nefarious using my server as a proxy to build a list of links to evil/illegal things?

Other than building a database of trustworthy sites, which i'm not willing to do, I can't think of a solution.

  👤 rukshn Accepted Answer ✓
Yes the best thing is to create a list of blacklisted domains, and don’t allow users to add a blacklisted domain.

Btw is rss a thing now? I was having an idea of creating an rss reader, but gave up because rss is almost dead,

Shoot me an email love to hear from you, arkruka@gmail.com

👤 phillipseamore
Usually the RSS feed is on the same domain, so you could simply whitelist automatically. If a user adds example.com/rss you'd add example.com to the whitelist. If you expect any kind of traffic you'd probably be refreshing the RSS feeds server-side on a schedule. You could then change all the URL's to signed URL's to use with your proxy (e.g. nginx securelink, ngx_http_hmac_secure_link_module and multiple other modules for nginx).