共计 1901 个字符,预计需要花费 5 分钟才能阅读完成。
| /** | |
| * security options | |
| * @member Config#security | |
| * @property {String} defaultMiddleware - default open security middleware | |
| * @property {Object} csrf - whether defend csrf attack | |
| * @property {Object} xframe - whether enable X-Frame-Options response header, default SAMEORIGIN | |
| * @property {Object} hsts - whether enable Strict-Transport-Security response header, default is one year | |
| * @property {Object} methodnoallow - whether enable Http Method filter | |
| * @property {Object} noopen - whether enable IE automaticlly download open | |
| * @property {Object} nosniff - whether enable IE8 automaticlly dedect mime | |
| * @property {Object} xssProtection - whether enable IE8 XSS Filter, default is open | |
| * @property {Object} csp - content security policy config | |
| * @property {Object} referrerPolicy - referrer policy config | |
| * @property {Object} dta - auto avoid directory traversal attack | |
| * @property {Array} domainWhiteList - domain white list | |
| * @property {Array} protocolWhiteList - protocal white list | |
| */ | |
| exports.security = {domainWhiteList: [], | |
| protocolWhiteList: [], | |
| defaultMiddleware: 'csrf,hsts,methodnoallow,noopen,nosniff,csp,xssProtection,xframe,dta', | |
| csrf: { | |
| enable: true, | |
| // can be ctoken or referer or all | |
| type: 'ctoken', | |
| ignoreJSON: false, | |
| // These config works when using ctoken type | |
| useSession: false, | |
| // can be function(ctx) or String | |
| cookieDomain: undefined, | |
| cookieName: 'csrfToken', | |
| sessionName: 'csrfToken', | |
| headerName: 'x-csrf-token', | |
| bodyName: '_csrf', | |
| queryName: '_csrf', | |
| // These config works when using referer type | |
| refererWhiteList: [// 'eggjs.org'], | |
| }, | |
| xframe: { | |
| enable: true, | |
| // 'SAMEORIGIN', 'DENY' or 'ALLOW-FROM http://example.jp' | |
| value: 'SAMEORIGIN', | |
| }, | |
| hsts: { | |
| enable: false, | |
| maxAge: 365 * 24 * 3600, | |
| includeSubdomains: false, | |
| }, | |
| dta: {enable: true,}, | |
| methodnoallow: {enable: true,}, | |
| noopen: {enable: true,}, | |
| nosniff: {enable: true,}, | |
| referrerPolicy: { | |
| enable: false, | |
| value: 'no-referrer-when-downgrade', | |
| }, | |
| xssProtection: { | |
| enable: true, | |
| value: '1; mode=block', | |
| }, | |
| csp: { | |
| enable: false, | |
| policy: {},}, | |
| ssrf: { | |
| ipBlackList: null, | |
| checkAddress: null, | |
| }, | |
| }; |
版权申明:本文为 CSDN 博主「beginnboyer」的原创文章,遵循 CC 4.0 BY-SA 版权协定,转载请附上原文出处链接及本申明。
原文链接:https://blog.csdn.net/wenrenn…
正文完
