eggjs 框架安全

Posted JSong

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了eggjs 框架安全相关的知识,希望对你有一定的参考价值。

/**
   * security options
   * @member Config#security
   * @property {String} defaultMiddleware - default open security middleware
   * @property {Object} csrf - whether defend csrf attack
   * @property {Object} xframe - whether enable X-Frame-Options response header, default SAMEORIGIN
   * @property {Object} hsts - whether enable Strict-Transport-Security response header, default is one year
   * @property {Object} methodnoallow - whether enable Http Method filter
   * @property {Object} noopen - whether enable IE automaticlly download open
   * @property {Object} nosniff -  whether enable IE8 automaticlly dedect mime
   * @property {Object} xssProtection -  whether enable IE8 XSS Filter, default is open
   * @property {Object} csp - content security policy config
   * @property {Object} referrerPolicy - referrer policy config
   * @property {Object} dta - auto avoid directory traversal attack
   * @property {Array} domainWhiteList - domain white list
   * @property {Array} protocolWhiteList - protocal white list
   */
  exports.security = {
    domainWhiteList: [],
    protocolWhiteList: [],
    defaultMiddleware: \'csrf,hsts,methodnoallow,noopen,nosniff,csp,xssProtection,xframe,dta\',
 
    csrf: {
      enable: true,
 
      // can be ctoken or referer or all
      type: \'ctoken\',
      ignoreJSON: false,
 
      // These config works when using ctoken type
      useSession: false,
      // can be function(ctx) or String
      cookieDomain: undefined,
      cookieName: \'csrfToken\',
      sessionName: \'csrfToken\',
      headerName: \'x-csrf-token\',
      bodyName: \'_csrf\',
      queryName: \'_csrf\',
 
      // These config works when using referer type
      refererWhiteList: [
        // \'eggjs.org\'
      ],
    },
 
    xframe: {
      enable: true,
      // \'SAMEORIGIN\', \'DENY\' or \'ALLOW-FROM http://example.jp\'
      value: \'SAMEORIGIN\',
    },
 
    hsts: {
      enable: false,
      maxAge: 365 * 24 * 3600,
      includeSubdomains: false,
    },
 
    dta: {
      enable: true,
    },
 
    methodnoallow: {
      enable: true,
    },
 
    noopen: {
      enable: true,
    },
 
    nosniff: {
      enable: true,
    },
 
    referrerPolicy: {
      enable: false,
      value: \'no-referrer-when-downgrade\',
    },
 
    xssProtection: {
      enable: true,
      value: \'1; mode=block\',
    },
 
    csp: {
      enable: false,
      policy: {},
    },
 
    ssrf: {
      ipBlackList: null,
      checkAddress: null,
    },
  };

版权声明:本文为CSDN博主「beginnboyer」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/wenrenn...

以上是关于eggjs 框架安全的主要内容,如果未能解决你的问题,请参考以下文章

eggjs是不是可以代替spring boot?

SpringCloud系列四:Eureka 服务发现框架(定义 Eureka 服务端Eureka 服务信息Eureka 发现管理Eureka 安全配置Eureka-HA(高可用) 机制Eur(代码片段

干货 | koa 包教包会系列1 —— 白话 koa

eggjs中egg-mysql不支持mysql集群,代码修改为支持集群

eggjs中egg-mysql不支持mysql集群,代码修改为支持集群

天猪:如何使用 EggJS 渐进式开发