NodeJS HTTP Server-禁用HTTP方法,TRACK TRACE等 [英] NodeJS HTTP Server - disable HTTP methods, TRACK TRACE etc
问题描述
在我获得的NodeJS HTTP服务器上运行 nmap
:
Running nmap
on my NodeJS HTTP server I get:
nmap -p 443 --script http-methods localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-28 11:26 BST
Nmap scan report for localhost
Host is up (0.00051s latency).
PORT STATE SERVICE
443/tcp open https
| http-methods: ACL BIND CHECKOUT CONNECT COPY DELETE GET HEAD LINK LOCK M-SEARC H MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH POST PROPFIND PROPPATCH PU RGE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
| Potentially risky methods: ACL BIND CHECKOUT CONNECT COPY DELETE LINK LOCK M-S EARCH MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH PROPFIND PROPPATCH PUR GE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
MAC Address: AB:CD:75:EF:A5:6D (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
因此,我希望禁用其中一些方法,主要是在潜在危险的方法:"列表中.
So I'm looking to disable some of these methods, mainly in the "Potentially risky methods:" list.
这在Apache中是微不足道的,但是在NodeJS中我看不到任何方法.
This is pretty trivial in Apache, but I can't see any way of doing it in NodeJS.
此SO问题讨论了如何编辑Node的C源代码,但我真的不想这样做.
This SO question talks about editing the C source of Node, but I don't really want to have to do that.
节点文档显示了http.METHODS方法,但这仅是获得
The node docs show a http.METHODS method, but thats just a get.
推荐答案
在NodeJS帮助github上提问,并从 bnoordhuis 处获得了以下响应:
Asked on the NodeJS help github and got this response from bnoordhuis:
const allowedMethods = ['GET','HEAD','POST'];
function onrequest(req, res) {
if (!allowedMethods.includes(req.method))
return res.end(405, 'Method Not Allowed');
// ...
}
https://github.com/nodejs/help/issues/357
这篇关于NodeJS HTTP Server-禁用HTTP方法,TRACK TRACE等的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!