From a650b1f36934e669cdb1baec642a32047e1fa347 Mon Sep 17 00:00:00 2001
From: Shinigami92 <chrissi92@hotmail.de>
Date: Mon, 12 Dec 2022 22:13:23 +0100
Subject: [PATCH] reject http urls

---
 server/api/og-image/[url].ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/api/og-image/[url].ts b/server/api/og-image/[url].ts
index b67e69a2..347a4312 100644
--- a/server/api/og-image/[url].ts
+++ b/server/api/og-image/[url].ts
@@ -76,6 +76,14 @@ export default defineEventHandler(async (event) => {
       }
     }
 
+    if (!ogImageUrl.startsWith('https')) {
+      // If the og:image is not https, we can't use it
+      throw createError({
+        statusCode: 406,
+        statusMessage: 'og:image must be https.',
+      })
+    }
+
     if (!ogImageUrl) {
       // If nothing helped, send 404 so the srcset can fallback to the default image
       throw createError({