[mod] limiter: add random token to the limiter URL

By adding a random component in the limiter URL a bot can no longer send a ping
by request a static URL.

Related: https://github.com/searxng/searxng/pull/2357#issuecomment-1518525094
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

1 files changed, 5 insertions, 3 deletions

diff --git a/searx/webapp.py b/searx/webapp.py
index 67265e542..815bfcabd 100755
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -416,6 +416,7 @@ def render(template_name: str, **kwargs):
     kwargs['endpoint'] = 'results' if 'q' in kwargs else request.endpoint
     kwargs['cookies'] = request.cookies
     kwargs['errors'] = request.errors
+    kwargs['limiter_token'] = limiter.get_token()
 
     # values from the preferences
     kwargs['preferences'] = request.preferences
@@ -642,9 +643,10 @@ def health():
     return Response('OK', mimetype='text/plain')
 
 
-@app.route('/limiter.css', methods=['GET', 'POST'])
-def limiter_css():
-    limiter.ping()
+@app.route('/limiter<token>.css', methods=['GET', 'POST'])
+def limiter_css(token=None):
+    if limiter.token_is_valid(token):
+        limiter.ping()
     return Response('', mimetype='text/css')