modulos_internal/proxy.php

<?php
// proxy.php — server-side proxy restricted to the Tasmanian LIST ArcGIS service.
// Originally used by plan-view.html for planning data lookups; the main app now uses
// classes/list_lookup.php instead. This file is kept for legacy/diagnostic use only.

header("Access-Control-Allow-Origin: https://modulosdesign.com.au");
header("Content-Type: application/json");

$ALLOWED_HOSTS = [
    'services.thelist.tas.gov.au',
    'thelistsrv.thelist.tas.gov.au',
];

$url = $_GET['url'] ?? '';

if (!$url) {
    http_response_code(400);
    echo json_encode(['error' => 'Missing url parameter']);
    exit;
}

$parsed = parse_url($url);
$host   = strtolower($parsed['host'] ?? '');

if (!in_array($host, $ALLOWED_HOSTS, true)) {
    http_response_code(403);
    echo json_encode(['error' => 'Host not permitted: ' . htmlspecialchars($host, ENT_QUOTES, 'UTF-8')]);
    exit;
}

// Only allow HTTPS to prevent downgrade to plain HTTP
if (($parsed['scheme'] ?? '') !== 'https') {
    http_response_code(403);
    echo json_encode(['error' => 'Only HTTPS URLs are permitted']);
    exit;
}

$response = file_get_contents($url);

if ($response === false) {
    http_response_code(502);
    echo json_encode(['error' => 'Upstream request failed']);
    exit;
}

echo $response;