eggjs 框架安全

JSong
/**
   * security options
   * @member Config#security
   * @property {String} defaultMiddleware - default open security middleware
   * @property {Object} csrf - whether defend csrf attack
   * @property {Object} xframe - whether enable X-Frame-Options response header, default SAMEORIGIN
   * @property {Object} hsts - whether enable Strict-Transport-Security response header, default is one year
   * @property {Object} methodnoallow - whether enable Http Method filter
   * @property {Object} noopen - whether enable IE automaticlly download open
   * @property {Object} nosniff -  whether enable IE8 automaticlly dedect mime
   * @property {Object} xssProtection -  whether enable IE8 XSS Filter, default is open
   * @property {Object} csp - content security policy config
   * @property {Object} referrerPolicy - referrer policy config
   * @property {Object} dta - auto avoid directory traversal attack
   * @property {Array} domainWhiteList - domain white list
   * @property {Array} protocolWhiteList - protocal white list
   */
  exports.security = {
    domainWhiteList: [],
    protocolWhiteList: [],
    defaultMiddleware: 'csrf,hsts,methodnoallow,noopen,nosniff,csp,xssProtection,xframe,dta',
 
    csrf: {
      enable: true,
 
      // can be ctoken or referer or all
      type: 'ctoken',
      ignoreJSON: false,
 
      // These config works when using ctoken type
      useSession: false,
      // can be function(ctx) or String
      cookieDomain: undefined,
      cookieName: 'csrfToken',
      sessionName: 'csrfToken',
      headerName: 'x-csrf-token',
      bodyName: '_csrf',
      queryName: '_csrf',
 
      // These config works when using referer type
      refererWhiteList: [
        // 'eggjs.org'
      ],
    },
 
    xframe: {
      enable: true,
      // 'SAMEORIGIN', 'DENY' or 'ALLOW-FROM http://example.jp'
      value: 'SAMEORIGIN',
    },
 
    hsts: {
      enable: false,
      maxAge: 365 * 24 * 3600,
      includeSubdomains: false,
    },
 
    dta: {
      enable: true,
    },
 
    methodnoallow: {
      enable: true,
    },
 
    noopen: {
      enable: true,
    },
 
    nosniff: {
      enable: true,
    },
 
    referrerPolicy: {
      enable: false,
      value: 'no-referrer-when-downgrade',
    },
 
    xssProtection: {
      enable: true,
      value: '1; mode=block',
    },
 
    csp: {
      enable: false,
      policy: {},
    },
 
    ssrf: {
      ipBlackList: null,
      checkAddress: null,
    },
  };

版权声明:本文为CSDN博主「beginnboyer」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/wenrenn...

阅读 940
1 声望
0 粉丝
0 条评论
1 声望
0 粉丝
文章目录
宣传栏