[英]how securing a public nodejs api to only requests from the frontend
I have a node frontend express server and a node api express server. 我有一个节点前端快递服务器和一个节点api快递服务器。
How can I best ensure that only requests that are made to the api are made from the frontend express server? 如何最好地确保仅对api的请求是从前端Express服务器发出的?
There is no user authentication so the user will not be sending a jwt with each request. 没有用户身份验证,因此用户将不会随每个请求发送jwt。
The easiest way would be to set the Content Security Policy using Helmet.js And you can easily add other security features using Helmet. 最简单的方法是使用Helmet.js设置内容安全策略,然后可以使用Helmet轻松添加其他安全功能。
const helmet = require('helmet')
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
// styleSrc probably not needed but you can set those too
styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']
}
}))
This effectively tells the browser “only load things that are from my own domain” 这有效地告诉浏览器“仅加载来自我自己域的内容”
https://helmetjs.github.io/docs/csp/ https://helmetjs.github.io/docs/csp/
https://github.com/helmetjs/helmet https://github.com/helmetjs/helmet
in my opinions, you should 在我看来,你应该
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.