如何在express.js node.js中设置X-Frame-Options [英] How to set X-Frame-Options in express.js node.js

问题描述

我想在一些台式机/移动网络客户端的iframe中提供一些静态资产。

I have some static assets that I want to serve inside iframes of several desktop / mobile web clients.

现在，如何将一组特定的来源列入白名单允许$​​ b $ b设置X-Frame-Options标头，以便将资源作为iframe
嵌入不同的桌面/移动网络客户端中。
和其他所有来源都拒绝访问此资源。

Now, how do I whitelist a specific set of origins to be allowed setting of X-Frame-Options headers so that the resource can be embedded as iframes inside different desktop / mobile web clients. and for all other origins denies the access to this resource.

我做了一点挖掘后才开始使用-

With a little digging I started off with -

const app = express();

var allowCrossDomain = function (req, res, next) {
    res.header('Access-Control-Allow-Origin', '*');
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
    res.header('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With, Authorization');
    if (req.method === "OPTIONS") res.send(200);
    else next();
}
app.use(allowCrossDomain);

现在在这里如何设置带有白名单原始值的X-Frame-Options标头-

Now here how do I set the X-Frame-Options header with the whitelisted origin values here -

推荐答案

您应导入头盔，然后使用 frameguard 将某些来源列入白名单。有关此主题的更多信息： MDN X-FRAME-OPTIONS 最佳实践安全性

You should import helmet and use frameguard to get some origins whitelisted. More on this topic: MDN X-FRAME-OPTIONS Best Practice Security

这篇关于如何在express.js node.js中设置X-Frame-Options的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！