nodeJS-我到底可以在哪里放置内容安全策略 [英] nodeJS - where exactly can I put the Content Security Policy

问题描述

我不知道在我的代码中将以下内容安全策略（CSP）片段应用于何处；

I don't know where to apply the Content Security Policy (CSP) snippet below in my code;

Content-Security-Policy: script-src 'self' https://apis.google.com

应该是在HTML中？

是否最好在JavaScript中实现，如下面的代码片段所示？

Will it be best implemented in JavaScript as in the code snippet below?

var policy = "default-src 'self'";
http.createServer(function (req, res) {
    res.writeHead(200, {
        'Content-Security-Policy': policy
    });
});

推荐答案

您只需要在HTTP标头中进行设置，不是HTML。这是一个带有静态服务器的express 4的工作示例：

You just need to set it in the HTTP Header, not the HTML. This is a working example with express 4 with a static server:

var express = require('express');
var app = express();


app.use(function(req, res, next) {
    res.setHeader("Content-Security-Policy", "script-src 'self' https://apis.google.com");
    return next();
});

app.use(express.static(__dirname + '/'));

app.listen(process.env.PORT || 3000);

如果您想了解有关CSP的更多信息，这是一篇很棒的文章： http://www.html5rocks.com/zh-CN/tutorials/security/content-security-policy/

If you want more information about CSP, this is an excelent article: http://www.html5rocks.com/en/tutorials/security/content-security-policy/

希望有帮助！

这篇关于nodeJS-我到底可以在哪里放置内容安全策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！