代理服务器背后的Node.js安全厨师和HTTPOnly [英] Nodejs secure cook and HTTPOnly behind proxy server

问题描述

在具有安全cookie和代理服务器后的HTTPOnly的Node.js中. HttpOnly标志和带有Secure标志的Cookie如何将其标头发送到代理服务器?

In Nodejs with secure cookie and HTTPOnly behind a proxy server. How does HttpOnly flag and Cookie with Secure flag send it headers to proxy server?

我一直在阅读并且假设我需要在代理服务器上启用X-Forward-Proto?

I have been reading and assume I need to enable X-Forward-Proto on my proxy server?

process.env.NODE_ENV = 'production';

if (app.get('env') === 'production') {
  app.set('trust proxy', 1) // trust first proxy
}

app.use(session({
    store: new RedisStore({host: '127.0.0.1', port: 6379, client: client, ttl:  3600}),
    key: 'sid',
    secret: 'abcde',
    resave: false,
    saveUninitialized: false,
//    proxy: true,
    cookie: {
        secure: true,
        httpOnly: true,
        maxAge: 3600000
    }
}));

推荐答案

我遇到了类似的问题，并在本教程.

I had a similar problem and solved it with the help of this tutorial.

您还需要在会话配置中将proxy选项设置为true. 我建议使用环境变量表达式process.env.NODE_ENV === "production"进行此操作.

You also need to set the proxy option to true in your session config. I would suggest doing this with an environment variable expression process.env.NODE_ENV === "production".

app.use(session({
    store: new RedisStore({host: '127.0.0.1', port: 6379, client: client, ttl:  3600}),
    key: 'sid',
    secret: 'abcde',
    resave: false,
    saveUninitialized: false,
    proxy: process.env.NODE_ENV === "production",
    cookie: {
        secure: process.env.NODE_ENV === "production",
        httpOnly: true,
        maxAge: 3600000
    }
}));

从 express-session 文档中:

代理

设置安全Cookie(通过"X-Forwarded-Proto"标头)时信任反向代理.

Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header).

默认值为未定义.

true将使用"X-Forwarded-Proto"标头.

true The "X-Forwarded-Proto" header will be used.

这篇关于代理服务器背后的Node.js安全厨师和HTTPOnly的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！