nodeJS-我到底可以在哪里放置内容安全策略 [英] nodeJS - where exactly can I put the Content Security Policy
本文介绍了nodeJS-我到底可以在哪里放置内容安全策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我不知道在我的代码中将以下内容安全策略(CSP)片段应用于何处;
I don't know where to apply the Content Security Policy (CSP) snippet below in my code;
Content-Security-Policy: script-src 'self' https://apis.google.com
应该是在HTML中?
是否最好在JavaScript中实现,如下面的代码片段所示?
Will it be best implemented in JavaScript as in the code snippet below?
var policy = "default-src 'self'";
http.createServer(function (req, res) {
res.writeHead(200, {
'Content-Security-Policy': policy
});
});
推荐答案
您只需要在HTTP标头中进行设置,不是HTML。这是一个带有静态服务器的express 4的工作示例:
You just need to set it in the HTTP Header, not the HTML. This is a working example with express 4 with a static server:
var express = require('express');
var app = express();
app.use(function(req, res, next) {
res.setHeader("Content-Security-Policy", "script-src 'self' https://apis.google.com");
return next();
});
app.use(express.static(__dirname + '/'));
app.listen(process.env.PORT || 3000);
如果您想了解有关CSP的更多信息,这是一篇很棒的文章: http://www.html5rocks.com/zh-CN/tutorials/security/content-security-policy/
If you want more information about CSP, this is an excelent article: http://www.html5rocks.com/en/tutorials/security/content-security-policy/
希望有帮助!
这篇关于nodeJS-我到底可以在哪里放置内容安全策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文