@@ -47,6 +47,12 @@ function api_log($_data) {
}
+// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
+if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
+ header('HTTP/1.1 403 Forbidden');
+ exit;
+}
+
if (isset($_GET['query'])) {
$query = explode('/', $_GET['query']);
FreddleSpl0it