所有路由的HTTPS重定向node.js / express - 安全性问题 [英] HTTPS redirection for all routes node.js/express - Security concerns
问题描述
//强制https重定向
var https_redirect = function(req,res,next){
if(req.secure){
if(env ==='development'){
return res.redirect('https: // localhost:3000'+ req.url);
} else {
return res.redirect('https://'+ req.headers.host + req.url);
}
} else {
return next();
}
};
app.get('*',function(req,res,next){
https_redirect(req,res,next);
});
这似乎工作正常。但是,由于我没有这样做,我有几个问题:
- 这是从http到https的重定向的理想方式?
- 如果用户使用http路由,在重定向之前,任何人都可以使用像sslstrip这样的东西来嗅出会话信息。
- Is this the ideal way to redirect from http to https?
- If a user uses the http route, prior to the redirect is it possible for anyone to use something like sslstrip to sniff out session info.
node:v0.8.2; express:v3.05
function requireHTTPS(req,res,next){
if(!req.secure){
// FYI这应该适用于本地开发以及
返回res.redirect('https://'+ req.get('host') + req.url);
}
next();
}
app.use(requireHTTPS);
app.get('/',routeHandlerHome);
中间件方法将会起作用,因为express将在添加的顺序中运行中间件,然后运行路由器一般而言,这种网站范围内的政策比较中间件与通配符路由更为清晰。
关于嗅探会话cookie的问题2,必须通过标记来解决当您设置它们时,Cookie为 secure 。如果它们没有被标记为安全的,那么浏览器也会传送它们与HTTP请求,从而使他们嗅探。
I recently took a stab at setting up HTTPS on a node/express server. I have successfully managed to redirect all the routes to use https using the code below:
// force https redirect
var https_redirect = function(req, res, next) {
if (req.secure) {
if(env === 'development') {
return res.redirect('https://localhost:3000' + req.url);
} else {
return res.redirect('https://' + req.headers.host + req.url);
}
} else {
return next();
}
};
app.get('*', function(req, res, next) {
https_redirect(req, res, next);
});
This seems to be working fine. However, since I havent' dabbled into this before I have a couple of questions:
node: v0.8.2 ; express: v3.05
function requireHTTPS(req, res, next) {
if (!req.secure) {
//FYI this should work for local development as well
return res.redirect('https://' + req.get('host') + req.url);
}
next();
}
app.use(requireHTTPS);
app.get('/', routeHandlerHome);
The middleware approach will work because express will run the middleware in the order added, before it runs the router, and in general this kind of site-wide policy is cleaner as middleware vs. a wildcard route.
Regarding question 2 about sniffing session cookies, that must be addressed by marking the cookies as secure when you set them. If they haven't been marked secure, the browser will transmit them with HTTP requests as well, thus exposing them to sniffing.
这篇关于所有路由的HTTPS重定向node.js / express - 安全性问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
