关于字符串值的 Nodejs 安全最佳实践
[英]Nodejs security best practice regarding string values
问题描述
I need to get the IP address using nodejs/express.
我需要使用 nodejs/express 获取 IP 地址。 Below is the statement I use for this.下面是我为此使用的语句。
const ipAddress = String(req.ip || "unknown");
Since req.ip originates from an HTTP header, a malicious user could change it.由于 req.ip 源自 HTTP 标头,恶意用户可以更改它。 Is this then the best way to get the user's IP address?这是获取用户IP地址的最佳方式吗?
2 个解决方案
解决方案1
1 2021-10-31 18:56:00
I suppose how "secure" it is depends on what you are trying to secure against.我想它的“安全”程度取决于您要保护的对象。
Generally an IP should be considered transient - users on mobile can enter or exit wifi or different cell towers, and their IP can change.一般来说,IP 应该被认为是暂时的——移动用户可以进入或退出 wifi 或不同的手机信号塔,他们的 IP 可以改变。 IPs can also be spoofed. IP也可以被欺骗。
If you are using Express, req.ip does NOT normally come from a header but from the connection itself .如果您使用 Express, req.ip通常不是来自标头,而是来自连接本身。 The exception is if you are using a reverse proxy -- are you?例外情况是,如果您使用的是反向代理——是吗? In which case we'll need more details about the proxy being used and your proxy setup.在这种情况下,我们需要有关正在使用的代理和您的代理设置的更多详细信息。 Proxies should be configured to always overwrite the X-Forwarded-For sent by the client, such that the header can always be trusted.代理应配置为始终覆盖客户端发送的X-Forwarded-For ,以便始终可以信任标头。
解决方案2
0 2021-10-31 18:55:38
Here's the code I changed the above to:这是我将上面的代码更改为:
let ipAddress = "";
if (req.ip === undefined) ipAddress = "unknown";
else ipAddress = String(req.ip);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.