[英]X-frame-Options Http response Header does not work
I am trying to add X-Frame-Options response header in my app.我正在尝试在我的应用程序中添加 X-Frame-Options 响应 header。 So I am configuring this in my express server.
所以我在我的快递服务器中配置它。 I have used helmet as an npm package to configure and this is the code which I have used
我已将头盔用作 npm package 进行配置,这是我使用过的代码
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(
helmet.frameguard({
action: "SAMEORIGIN",
})
);
But still I am not able to see the header X-Frame-Options: SAMEORIGIN in the browser.但我仍然无法在浏览器中看到 header X-Frame-Options: SAMEORIGIN 。
Can anyone tell what I am doing wrong or any better way to solve this.谁能告诉我做错了什么或任何更好的方法来解决这个问题。
Helmet By default set following headers头盔默认设置以下标题
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Expect-CT: max-age=0
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
You can read more into there documentation for default headers您可以阅读更多关于默认标题的文档
So for header X-Frame-Options: SAMEORIGIN you need to in the following manner所以对于 header X-Frame-Options: SAMEORIGIN 你需要按以下方式
const express = require('express');
const helmet = require("helmet");
const app = express();
app.use(helmet());
This will set the default headers and X-Frame-Options: SAMEORIGIN这将设置默认标题和 X-Frame-Options:SAMEORIGIN
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.