From 6913a688d3d67b928522748d05b719f2000609e9 Mon Sep 17 00:00:00 2001
From: Andrew Sliwinski <andrewsliwinski@acm.org>
Date: Thu, 29 Oct 2015 12:06:13 -0400
Subject: [PATCH] Block PUT, POST, and DEL requests

---
 server/index.js | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index 954769e13..e206d2955 100644
--- a/server/index.js
+++ b/server/index.js
@@ -13,9 +13,23 @@ var log = require('./log');
 var proxies = require('./proxies.json');
 var routes = require('./routes.json');
 
-// Server setup
+// Create server
 var app = express();
 app.disable('x-powered-by');
+
+// Block POST & PUT requests in production
+if (process.env.NODE_ENV === 'production') {
+    app.use(function (req, res, next) {
+        if (req.method === 'GET') return next();
+        if (req.method === 'OPTIONS') return next();
+        if (req.method === 'HEAD') return next();
+
+        res.writeHead(405, {'content-type' : 'application/json'});
+        res.end('{"error": "Method not allowed"}');
+    });
+}
+
+// Server setup
 app.use(log());
 app.use(compression());
 app.use(express.static(path.resolve(__dirname, '../build'), {