如何阻止Node.js / Express提供应用程序的源代码？ [英] How do I prevent Node.js / Express serving up my application's source code?

问题描述

我从来没有想过这将是Node.js和Express的一个问题，但是在一个疯狂的想法中，我决定在浏览器中输入Node.js Express项目中的一个源文件的位置，例如：

http://www.mywebsite.com/mynodejsapp/app。 js

对我的 极限恐怖 ，我的应用程序的源代码弹出，公开可用所有看到。

所以，除此之外：如何在Node.js / Express中停止它？

我的设置代码非常简单：

  var app = express（）; 
 app.configure（function（）{
 app.use（express.static（'/ home / prod / server / app / public'））; 
}）; 
 app.listen（8888）; 
  

要澄清一点，这就是我的文件夹结构：

/ home / prod / server /

/home/prod/server/app.js

/ home / prod / server / public /

用于公开访问的各种各样的文件可以在 / public 下生成。我的所有服务器源代码都位于 / server / 之下，我对Express的静态文件夹配置的理解是，静态文件夹是唯一可以快速地从文件系统从。

任何想法？

解决方案

它真的闻起来像你输入的URL由例如Apache / nginx / ...并且您将节点应用程序放在文档根目录中。答案在这个（和任何类似的）情况下很简单：

你永不将任何源代码文件放在文档根目录或另一个HTTP可访问的文件夹。在你的情况下， / home / prod / server / app / public 应该只包含客户端的东西（HTML，CSS，Graphics，（minified）客户端JS）和nginx不应该有这个文件夹以上的文件作为其文档根目录。

I never thought this would be a problem with Node.js and Express, but on a crazy whim I decided to type into a browser the location of one of the source files in my Node.js Express project - something like:

http://www.mywebsite.com/mynodejsapp/app.js

To my extreme horror, my application's source code popped right up, publicly available for all to see.

So, that aside: how do I stop it in Node.js / Express?

My setup code is pretty straightforward:

var app = express();
app.configure(function() {
    app.use(express.static('/home/prod/server/app/public'));
});
app.listen(8888);

To clarify, this is what my folder structure looks like:

/home/prod/server/
/home/prod/server/app.js
/home/prod/server/public/

All sorts of various files that are intended for public access live under /public. All of my server source code lives under /server/, and my understanding of Express's static folder configuration is that the static folder is the only place that Express happily serves up files from the filesystem from.

Any ideas?

解决方案

From what you posted it really smells like the URL you entered is served by e.g. Apache/nginx/... and you did put your node app within the document root. The answer is simple in this (and any similar) case:

You never put any of your sourcecode files within the document root or another HTTP-accessible folder. In your case, /home/prod/server/app/public should contain only client-side stuff (HTML, CSS, Graphics, (minified) client-side JS) and nginx should not have anything above this folder as its document root.

这篇关于如何阻止Node.js / Express提供应用程序的源代码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！