堆栈内存溢出
  简体   繁体   English

X-frame-Options Http 响应 Header 不起作用

[英]X-frame-Options Http response Header does not work

 原文  2022-08-17 08:28:39       javascript/ node.js/ reactjs

问题描述

I am trying to add X-Frame-Options response header in my app.我正在尝试在我的应用程序中添加 X-Frame-Options 响应 header。 So I am configuring this in my express server.所以我在我的快递服务器中配置它。 I have used helmet as an npm package to configure and this is the code which I have used我已将头盔用作 npm package 进行配置,这是我使用过的代码

const express = require("express");
const helmet = require("helmet");

const app = express();

app.use(
  helmet.frameguard({
    action: "SAMEORIGIN",
  })
);

But still I am not able to see the header X-Frame-Options: SAMEORIGIN in the browser.但我仍然无法在浏览器中看到 header X-Frame-Options: SAMEORIGIN

在此处输入图像描述

Can anyone tell what I am doing wrong or any better way to solve this.谁能告诉我做错了什么或任何更好的方法来解决这个问题。

1 个解决方案

解决方案1
 1  2022-08-17 08:47:13

Helmet By default set following headers头盔默认设置以下标题

Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Expect-CT: max-age=0
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

You can read more into there documentation for default headers您可以阅读更多关于默认标题的文档

So for header X-Frame-Options: SAMEORIGIN you need to in the following manner所以对于 header X-Frame-Options: SAMEORIGIN 你需要按以下方式

const express = require('express');
const helmet = require("helmet");

const app = express();
app.use(helmet());

This will set the default headers and X-Frame-Options: SAMEORIGIN这将设置默认标题和 X-Frame-Options:SAMEORIGIN

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 错误响应时出现X-Frame-Options标头 - X-Frame-Options header on error response IIS正在添加默认的“X-Frame-Options:SAMEORIGIN”,即使我在默认网站级别添加了新的HTTP响应标头为“X-Frame-Options:ALLOW”。 - IIS is adding default 'X-Frame-Options:SAMEORIGIN' even then I added new HTTP response header in default website level as'X-Frame-Options:ALLOW'. 有没有一种方法可以渲染具有X-Frame-Options的网页:在带有reactjs的标题响应中拒绝 - is there a way to render a web page that has X-Frame-Options: deny in its header response with reactjs X-Frame-Options标头和Google Analytics(分析)“页内分析” - X-Frame-Options header and Google Analytics “In-page analytics” X-Frame-Options错误 - X-Frame-Options error 检测 X-Frame-Options - Detect X-Frame-Options 拒绝在框架中显示“http://vimeo.com/27577981”,因为它将“X-Frame-Options”设置为“SAMEORIGIN” - Refused to display 'http://vimeo.com/27577981' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' Google CSE X框架选项 - Google CSE X-frame-options 捕获JavaScript中的X-Frame-Options错误 - Catch X-Frame-Options Error in javascript X-Frame-Options拒绝不工作 - X-Frame-Options Deny not working at all
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM