摘要:
2.X-Permitted-Cross-Domoain-PolicysHelmet’scrossdomainmiddlewarepreventsAdobeFlashandAdobeAcrobatfromloadingcontentonyoursite.这个头部可以防止AdobeFlash和AdobeAcrobat在你的网站上去加载其它域名的内容。通过设置Cache-Control,Surrogate-Control,Pragma,Expires这几个headers。
Helmet is a collection of 12 middleware to help set some security headers.
helmet 是一个包括了12个中间件,用来设置一些安全的 headers 的集合。
1. Content-Security-Policy: default-src 'self'
the CSP module sets theContent-Security-Policyheader which can help protect against malicious injection of JavaScript, CSS, plugins, and more.
这个模块可以通过设置 Content-Security-Policy 这个 header 来防止被恶意注入 js, css, plugins 或者更多的内容。默认不启用。
2. X-Permitted-Cross-Domoain-Policys
Helmet’scrossdomainmiddleware prevents Adobe Flash and Adobe Acrobat from loading content on your site.
这个头部可以防止 Adobe Flash 和 Adobe Acrobat 在你的网站上去加载其它域名的内容。默认不启用。
3. X-DNS-Prefetch-Control
this middleware lets you disable browsers’ DNS prefetching by setting theX-DNS-Prefetch-Controlheader.
这个 header 可以让你禁止浏览器进行 DNS 预读取。通过这个设置,可以防止用户越权获取网站信息。默认启用。
4.Expect-CT
TheExpect-CTHTTP header tells browsers to expect Certificate Transparency.
这个 header 告诉浏览器是否期望 证书透明度。默认不启用。
5. X-Frame-Options
Frameguard mitigates clickjacking attacks by setting theX-Frame-Optionsheader.
这个模块用来缓解点击劫持攻击。通过设置 X-Frame-Options ,可以设置是否允许页面加载 iframe, 或者设置允许同源或者某个站点的 iframe 加载。默认开启。
6. X-Powerd-By
The Hide Powered-By middleware removes theX-Powered-Byheader to make it slightly harder for attackers to see what potentially-vulnerable technology powers your site.
Express 或者其它的技术(比如 PHP)会设置一个叫做 X-Powered-By 的头部来表明这个服务背后是什么技术,这个模块可以去掉这个模块,或者伪装成其它模块。默认开启。
7. Public-Key-Pins
the HTTP Public Key Pinning module helps you set thePublic-Key-Pins header to prevent person-in-the-middle attacks.
这个模块用来防止中间人攻击,原理是通过存储证书的 hash 值来让浏览器识别是否是同一网站的证书。很容易误用而引起问题。慎重使用。默认不开启。
8. Strict-Transport-Security
this module sets theStrict-Transport-Securityheader to keep your users on HTTPS.
这个模块用来设置你的用户只能访问 https 的网站的时间。默认启用。
9. X-Download-Options
this middleware sets theX-Download-Optionsto prevent Internet Explorer from executing downloads in your site’s context.
这个模块用来设置避免低版本 IE 的问题,防止在你的网站执行下载的内容(比如页面或者脚本),默认开启。
10. nocache
thenocachemiddleware aims to disable browser caching by setting several headers.
通过设置几个 headers 来禁止浏览器缓存。如果浏览器缓存了文件,比如 js, 你就难以通过更新新版本代码来解决旧版本代码的问题。通过设置 Cache-Control, Surrogate-Control(控制代理), Pragma, Expires 这几个 headers 。默认不开启。
11. noSniff
the Don’t Sniff Mimetype middleware,noSniff, helps prevent browsers from trying to guess (“sniff”) the MIME type, which can have security implications. It does this by setting theX-Content-Type-Optionsheader tonosniff
这个模块用来禁止浏览器嗅探文件类型,防止使用虚假文件类型欺诈。默认开启
12. Referer-Policy
the Referrer Policy module can control the behavior of theRefererheader by setting theReferrer-Policyheader
通过设置 Referrer-Policy 来控制 referer 的值
13. X-XSS-Protection
thexssFiltermiddleware sets theX-XSS-Protectionheader to prevent reflected XSS attacks.
Visit each module’s page to learn more.
Module | Included by default? |
contentSecurityPolicyfor setting Content Security Policy | |
crossdomainfor handling Adobe products’ crossdomain requests | |
dnsPrefetchControlcontrols browser DNS prefetching | ✓ |
expectCtfor handling Certificate Transparency | |
frameguardto prevent clickjacking | ✓ |
hidePoweredByto remove the X-Powered-By header | ✓ |
hpkpfor HTTP Public Key Pinning | |
hstsfor HTTP Strict Transport Security | ✓ |
ieNoOpensets X-Download-Options for IE8+ | ✓ |
noCacheto disable client-side caching | |
noSniffto keep clients from sniffing the MIME type | ✓ |
referrerPolicyto hide the Referer header | |
xssFilteradds some small XSS protections | ✓ |