[英]How to set X-Frame-Options in express.js node.js
I have some static assets that I want to serve inside iframes of several desktop / mobile web clients. 我有一些静态资产,我想在几个桌面/移动网络客户端的iframe中提供服务。
Now, how do I whitelist a specific set of origins to be allowed setting of X-Frame-Options headers so that the resource can be embedded as iframes inside different desktop / mobile web clients. 现在,如何将特定的一组来源列入白名单以允许设置X-Frame-Options标头,以便可以将资源作为iframe嵌入到不同的桌面/移动Web客户端中。 and for all other origins denies the access to this resource.
并且对于所有其他来源,拒绝访问此资源。
With a little digging I started off with - 经过一番挖掘,我开始用 -
const app = express();
var allowCrossDomain = function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With, Authorization');
if (req.method === "OPTIONS") res.send(200);
else next();
}
app.use(allowCrossDomain);
Now here how do I set the X-Frame-Options header with the whitelisted origin values here - 现在,我在这里如何设置带有白名单原点值的X-Frame-Options标题 -
You should import helmet and use frameguard to get some origins whitelisted. 你应该导入头盔并使用frameguard来获得一些白色的起源。 More on this topic: MDN X-FRAME-OPTIONS Best Practice Security
有关此主题的更多信息: MDN X-FRAME-OPTIONS 最佳实践安全性
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.