堆栈内存溢出
  简体   繁体   English

如何阻止Node.js / Express提供我的应用程序的源代码?

[英]How do I prevent Node.js / Express serving up my application's source code?

 原文  2012-12-12 22:19:16       security/ node.js/ express

问题描述

I never thought this would be a problem with Node.js and Express, but on a crazy whim I decided to type into a browser the location of one of the source files in my Node.js Express project - something like: 我从没想过这会是Node.js和Express的问题,但是我疯狂地想到要在浏览器中键入我的Node.js Express项目中某个源文件的位置 - 类似于:

http://www.mywebsite.com/mynodejsapp/app.js http://www.mywebsite.com/mynodejsapp/app.js

To my extreme horror , my application's source code popped right up, publicly available for all to see. 令我非常恐怖的是 ,我的应用程序的源代码突然出现,公开供所有人查看。

So, that aside: how do I stop it in Node.js / Express? 那么,除此之外:我如何在Node.js / Express中停止它?

My setup code is pretty straightforward: 我的设置代码非常简单: 

var app = express();
app.configure(function() {
    app.use(express.static('/home/prod/server/app/public'));
});
app.listen(8888);

To clarify, this is what my folder structure looks like: 为了澄清,这就是我的文件夹结构:

/home/prod/server/
/home/prod/server/app.js
/home/prod/server/public/

All sorts of various files that are intended for public access live under /public . 意图用于公共接入的各种文件的各种生活在/public All of my server source code lives under /server/ , and my understanding of Express's static folder configuration is that the static folder is the only place that Express happily serves up files from the filesystem from. 我的所有服务器源代码都在/server/ ,我对Express的静态文件夹配置的理解是,静态文件夹是Express愉快地从文件系统提供文件的唯一地方。

Any ideas? 有任何想法吗?

1 个解决方案

解决方案1
 10 已采纳  2012-12-12 22:24:54

From what you posted it really smells like the URL you entered is served by eg Apache/nginx/... and you did put your node app within the document root. 从你发布的内容来看,它真的闻起来就像你输入的URL是由Apache / nginx / ...提供的,你确实把你的节点应用程序放在了文档根目录中。 The answer is simple in this (and any similar) case: 这个(以及任何类似的)案例的答案很简单:

You never put any of your sourcecode files within the document root or another HTTP-accessible folder. 永远不会将任何源代码文件放在文档根目录或其他HTTP可访问文件夹中。 In your case, /home/prod/server/app/public should contain only client-side stuff (HTML, CSS, Graphics, (minified) client-side JS) and nginx should not have anything above this folder as its document root. 在你的情况下, /home/prod/server/app/public应该只包含客户端的东西(HTML,CSS,图形,(缩小的)客户端JS),nginx不应该有任何高于此文件夹的文件根目录。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我如何知道我的 Node.JS 应用程序安全性是否符合标准? - How can I know my Node.JS application security is up to standard? node.js在服务器目录中提供HTML文档 - node.js serving up HTML documents in server directory 在服务器上运行之前如何清理代码? (的node.js) - How to scrub code before running on my server? (node.js) 网络安全。 我能正确保护我的REST api吗? (node.js表示) - Web security. Am I protecting my REST api properly? (node.js express) 防止从 Node.js 应用程序直接访问 URL - Prevent Direct Url Access from Node.js Application JWT:什么是一个好的秘密密钥,以及如何将它存储在Node.js / Express应用程序中? - JWT: What's a good secret key, and how to store it in an Node.js/Express app? 如何防止用户使用用于在 Web 应用程序中下载 pdf 文件的 PHP 下载选项下载源代码文件? - How to prevent users from downloading source code files using the PHP download option I have for downloading pdf files in my web application? 如何防止在我的http服务器上用node.js写的DOS攻击? - How to prevent DOS attacks on my http server which written in node.js? 如何防止恶意* .js脚本在Node.js中执行 - How to prevent malicious *.js scripts from executing in Node.js 如何防止Node.js应用中的会话溢出? - How to prevent overflow of sessions in node.js app?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM