helmet · 前端筆記

# Helmet Helmet通過設置各種HTTP標頭來幫助您保護Express應用程序。 ## 快速開始 ~~~ const express = require('express') const helmet = require('helmet') const app = express() app.use(helmet()) ~~~ 最好在中間件堆棧的早期使用Helmet，以確保其頭部設置。單獨使用它的片段： ~~~ app.use(helmet.noCache()) app.use(helmet.frameguard()) ~~~ 禁用默認配置的某些功能 ~~~ app.use(helmet({ frameguard: false })) ~~~ 設置屬性 ~~~ app.use(helmet({ frameguard: { action: 'deny' } })) ~~~ ## 工作原理 Helmet是12個較小的中間件函數的集合，用于設置HTTP頭。默認情況下，運行app.use(helmet())將不包括所有這些中間件功能。 | 模塊 | 默認？ | 功能 | |---|---|---| | [contentSecurityPolicy ](https://helmetjs.github.io/docs/csp/)| | 設置Content Security Policy | | [expectCt ](https://helmetjs.github.io/docs/expect-ct/)| | 證書透明度 | | [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) | ?| 控制瀏覽器DNS prefetching| | [frameguard](https://helmetjs.github.io/docs/frameguard/) |?| 防止點擊挾持| |[hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by)|?| 移除X-Powered-By header| |[hpkp](https://helmetjs.github.io/docs/hpkp/)| | HTTP公鑰固定| |[hsts](https://helmetjs.github.io/docs/hsts/)|?| HTTP Strict Transport Security | |[ienoopen](https://helmetjs.github.io/docs/ienoopen/)|?|為IE8設置X-Download-Options |[nocache](https://helmetjs.github.io/docs/nocache/)||禁用瀏覽器緩存 |[noSniff](https://www.npmjs.com/package/helmet)|?|防止客戶端嗅探MIME類型 |[referrerPolicy](https://helmetjs.github.io/docs/referrer-policy)|||隱藏Referer header |[xssFilter](https://helmetjs.github.io/docs/xss-filter)|?||增加了一些小的XSS保護