无法摆脱标头X-Powered-By:Express

2020/10/24 14:02 · javascript ·  · 0评论

我正在使用express在nodejs上运行服务器。我似乎无法摆脱标题:

X-Powered-By:Express

我想知道是否有任何方法可以摆脱此标头,还是我必须忍受它?

在Express> = 3.0.0rc5中:

app.disable('x-powered-by');

这是一个简单的中间件,可以删除早期版本的Express中的标头:

app.use(function (req, res, next) {
  res.removeHeader("x-powered-by");
  next();
});

只是为了r带rjack的答案,您还可以(可选)仅将X-by-by标头更改(设置)为更酷/更自定义的内容,如下所示:

app.use(function (req, res, next) {
  res.header("X-powered-by", "Blood, sweat, and tears")
  next()
})

从Express v3.0.0rc5开始,X-Powered-By内置了对禁用标头的支持

var express = require('express');

var app = express();
app.disable('x-powered-by');

从源(http://expressjs.com/en/api.html#app.set)。在Express 4.X中,只需使用以下行设置应用即可;

app.set('x-powered-by', false) // hide x-powered-by header!

这是一个方便的中间件,您可以插入其中以换出X-Powered-By:

function customHeaders( req, res, next ){
  // Switch off the default 'X-Powered-By: Express' header
  app.disable( 'x-powered-by' );

  // OR set your own header here
  res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );

  // .. other headers here

  next()
}

app.use( customHeaders );

// ... now your code goes here

在这种情况下,设置X-Powered by将覆盖默认的“ Express”,因此您无需同时禁用和设置新值。

也许这对于经验丰富的Express用户可能是显而易见的,但这仅对我有用:

app.configure(function() {
    app.use(function (req, res, next) {
        res.removeHeader("X-Powered-By");
        next();
    });
});

有时,最上方的答案无效。这是我的情况。我有Express 4.17.1,没有一个答案行不通。因此,我发明了自己的解决方案:

let app = express();

app.use((req, res, next) => {
  const send = res.send;
  res.send = (data) => {
    res.removeHeader('X-Powered-By');
    return send.call(res, data);
  };

  next();
});

对于隐藏,您可以使用Node .js库头盔

那个链接是头盔

var helmet = require('helmet');
app.use(helmet.hidePoweredBy());

我也没有标准解决方案工作者。经过大量搜索,我发现我们使用了一个路由文件,在该文件中启动了一个新的Express实例,该实例随后通过使用app.use添加到了第一个实例中。仅对于此新快递实例中的路由,存在X-Powered-By标头。

简单的问题观点:

const app = express();
app.disable("x-powered-by");
app.get("/ping", (req, res) => res.send("Pong")); // <-- no X-Powered-By header

const moreRoutes = express();
moreRoutes.get("/ping", (req, res) => res.send("Pong")); // <-- X-Powered-By header still present

app.use("/api/v2", moreRoutes);

解决方案只是创建一个新的express.Router而不是整个实例。

const moreRoutes = express.Router();

阅读代码https://github.com/visionmedia/express/blob/master/lib/http.js#L72使我认为您将不得不接受它,因为它似乎不是有条件的。

如果您有一个nginx / apache前端,您仍然可以删除它的标头(对于Apache和modsheaders,标头-nginx更多)

removeHeader仅在路由中间件中起作用,coffeescript示例

fix_headers =  (req, res, next) ->
    res.removeHeader 'X-Powered-By'
    next()

app.get '/posts', fix_headers, (req, res, next) ->
  ...

None of this worked for me, except this (you need to add another parameter):

app.use(helmet.hidePoweredBy({ setTo: 'guesswhat' }))

I'm using Express ^4.17

Note: Answers are scattered through the posts and this is meant to be a compilation, plus some additions of my own. They are all tested.

Note 2: Something important is missing: if you're checking headers in your frontend, using a development server, be Angular, React or webpack dev server, you will still see the header. This is because webpack-dev-server is indeed an Express server and what you're seeing are the headers presented from that application. Your backend won't send the header if using one of these options.


There are many ways to do this.

  1. "X-powered-by"默认情况下禁用Express选项。
import express from 'express'
const app = express()
app.disable('x-powered-by')
// app.use(...)

 

2)使用中间件在每个请求上将其删除:

  • 拔出X-powered-by钥匙
import express from 'express'
const app = express()

app.use(function (req, res, next) {
  res.removeHeader("X-Powered-By");
  next();
});
  • 改变X-powered-by价值
import express from 'express'
const app = express()

app.use(function (req, res, next) {
  res.header("X-powered-by", "not-Express")
  next()
})

 

3)使用
头盔将其删除,并配置10个其他HTTP推荐的标头(“这不是灵丹妙药,但可以提供帮助! ”)

  • 默认设置(应用所有11个HTTP标头)
import express from 'express'
import helmet from 'helmet'
const app = express()

app.use(helmet())
  • 只需删除 X-powered-by
import express from 'express'
import helmet from 'helmet'
const app = express()

app.use(helmet.hidePoweredBy());

与“注释2”有关:

如果您正在使用webpack-dev-server进行热重装,则仍会看到此标头。那是因为它使用的是Express服务器,因此标头来自于它,而不是来自您正在配置的后端Express。

即使没有设置webpack-dev-server,主要前端框架中使用的一些样板工具(如crate-react-app)仍将在后台使用webpack-dev-server。

例如,如果您检查startCRA中的脚本(在执行“ npm start”时被调用):

显示npm start react脚本

本文地址:http://javascript.askforanswer.com/wufabaituobiaotoux-powered-byexpress.html
文章标签: ,   ,   ,   ,  
版权声明:本文为原创文章,版权归 javascript 所有,欢迎分享本文,转载请保留出处!

文件下载

老薛主机终身7折优惠码boke112

上一篇:
下一篇:

评论已关闭!