'Missing url parameter']); exit; } $parsed = parse_url($url); $host = strtolower($parsed['host'] ?? ''); if (!in_array($host, $ALLOWED_HOSTS, true)) { http_response_code(403); echo json_encode(['error' => 'Host not permitted: ' . htmlspecialchars($host, ENT_QUOTES, 'UTF-8')]); exit; } // Only allow HTTPS to prevent downgrade to plain HTTP if (($parsed['scheme'] ?? '') !== 'https') { http_response_code(403); echo json_encode(['error' => 'Only HTTPS URLs are permitted']); exit; } $response = file_get_contents($url); if ($response === false) { http_response_code(502); echo json_encode(['error' => 'Upstream request failed']); exit; } echo $response;