From b84a54be055c3e732800e59e4147f5b9d705ef70 Mon Sep 17 00:00:00 2001
From: Roy Han <royjhan02@gmail.com>
Date: Wed, 10 Jul 2024 11:23:48 -0700
Subject: [PATCH 1/2] return 405 for bad method

---
 server/routes.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/routes.go b/server/routes.go
index e5a31002..44ce5119 100644
--- a/server/routes.go
+++ b/server/routes.go
@@ -1074,6 +1074,7 @@ func (s *Server) GenerateRoutes() http.Handler {
 	config.AllowOrigins = envconfig.Origins()
 
 	r := gin.Default()
+	r.HandleMethodNotAllowed = true
 	r.Use(
 		cors.New(config),
 		allowedHostsMiddleware(s.addr),

From 781585d9bd3816c52c9319a8fff45bc7a6863e46 Mon Sep 17 00:00:00 2001
From: Roy Han <royjhan02@gmail.com>
Date: Wed, 10 Jul 2024 12:52:34 -0700
Subject: [PATCH 2/2] return 204 for cross-origin OPTIONS

---
 server/routes.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/routes.go b/server/routes.go
index 44ce5119..cdcd9a17 100644
--- a/server/routes.go
+++ b/server/routes.go
@@ -1043,6 +1043,11 @@ func allowedHostsMiddleware(addr net.Addr) gin.HandlerFunc {
 
 		if addr, err := netip.ParseAddr(host); err == nil {
 			if addr.IsLoopback() || addr.IsPrivate() || addr.IsUnspecified() || isLocalIP(addr) {
+				if c.Request.Method == http.MethodOptions {
+					c.AbortWithStatus(http.StatusNoContent)
+					return
+				}
+
 				c.Next()
 				return
 			}