如何在express.js node.js中设置X-Frame-Options [英] How to set X-Frame-Options in express.js node.js
问题描述
我想在一些台式机/移动网络客户端的iframe中提供一些静态资产。
I have some static assets that I want to serve inside iframes of several desktop / mobile web clients.
现在,如何将一组特定的来源列入白名单允许$ b $ b设置X-Frame-Options标头,以便将资源作为iframe
嵌入不同的桌面/移动网络客户端中。
和其他所有来源都拒绝访问此资源。
Now, how do I whitelist a specific set of origins to be allowed setting of X-Frame-Options headers so that the resource can be embedded as iframes inside different desktop / mobile web clients. and for all other origins denies the access to this resource.
我做了一点挖掘后才开始使用-
With a little digging I started off with -
const app = express();
var allowCrossDomain = function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With, Authorization');
if (req.method === "OPTIONS") res.send(200);
else next();
}
app.use(allowCrossDomain);
现在在这里如何设置带有白名单原始值的X-Frame-Options标头-
Now here how do I set the X-Frame-Options header with the whitelisted origin values here -
推荐答案
您应导入头盔,然后使用 frameguard 将某些来源列入白名单。有关此主题的更多信息: MDN X-FRAME-OPTIONS 最佳实践安全性
You should import helmet and use frameguard to get some origins whitelisted. More on this topic: MDN X-FRAME-OPTIONS Best Practice Security
这篇关于如何在express.js node.js中设置X-Frame-Options的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!