From 7b40c736e6deac831eb00d8a988516ac9adfad79 Mon Sep 17 00:00:00 2001
From: Markus Heiser <markus.heiser@darmarit.de>
Date: Sat, 24 Jul 2021 15:17:08 +0200
Subject: [PATCH] [mod] hardening SearXNG instances by default (formats)

Deny formats has been implemented in 6ed4616d.

To harden SearXNG instances by default, other formats than HTML should be
denied.  Most of JSON, RSS and CSV requests are bots [1]::

    Bots are the only users of this feature on a public instance, and they abuse
    it too much that the engines rate limit pretty quickly the IP address of the
    instance.

[1] https://github.com/searxng/searxng/issues/95

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
---
 searx/settings.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/searx/settings.yml b/searx/settings.yml
index faadb36d1..0306f00bd 100644
--- a/searx/settings.yml
+++ b/searx/settings.yml
@@ -27,7 +27,9 @@ search:
   # max ban time in seconds after engine errors
   max_ban_time_on_fail: 120
   # remove format to deny access, use lower case.
-  formats: [html, csv, json, rss]
+  # formats: [html, csv, json, rss]
+  formats:
+    - html
 
 server:
   port: 8888