[英]How to prevent POST spamming in node.js Express using busboy?
I am following the example here: https://www.npmjs.com/package/busboy 我在这里跟随示例: https : //www.npmjs.com/package/busboy
I am worried that someone may deliberately try to overload the server. 我担心有人会故意使服务器超载。 I wonder if there is a convenient way, before the data is uploaded, to prevent spamming by measuring the size of the entire POST body, not just the file(s) uploaded.
我想知道在上传数据之前是否有一种方便的方法来防止垃圾邮件,方法是测量整个POST正文的大小,而不仅仅是测量上传的文件。 I tried the following, which apparently didn't work:
我尝试了以下方法,但显然不起作用:
if (JSON.stringify(req.body).length > 5 * 1024 * 1024) res.redirect('/');
You cannot rely on Content-Length
being set. 您不能依赖于设置的
Content-Length
。 Even if it were set, if the person was acting malicious, they either may use an incorrect Content-Length
or they may use Transfer-Encoding: chunked
, in which case there is no way to tell how large the request body is. 即使已设置,但如果该人正在恶意行事,他们要么使用错误的
Content-Length
要么使用Transfer-Encoding: chunked
,在这种情况下,无法确定请求主体的大小。
Additionally, calling stringify()
every time on req.body
could easily cause a DoS-style attack as well. 另外,每次在
req.body
上调用stringify()
也很容易引起DoS风格的攻击。
However, busboy
does have several options for limiting various aspects of application/x-www-form-urlencoded
and multipart/form-data
requests (eg max file size, max number of files, etc.). 但是,
busboy
确实有几种选择来限制application/x-www-form-urlencoded
和multipart/form-data
请求的各个方面(例如,最大文件大小,最大文件数等)。
You might also limit the parsing of request bodies to routes where you're expecting request bodies, instead of trying to parse request bodies for all requests. 您也可以将请求正文的解析限制在期望有请求正文的路由上,而不是尝试为所有请求解析请求正文。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.