2021-05-05 10:13:49 -07:00
|
|
|
---
|
|
|
|
|
id: 587d8247367417b2b2512c37
|
2021-07-16 11:03:16 +05:30
|
|
|
title: 使用 helmet.hidePoweredBy() 隱藏潛在的危險信息
|
2021-05-05 10:13:49 -07:00
|
|
|
challengeType: 2
|
|
|
|
|
forumTopicId: 301580
|
|
|
|
|
dashedName: hide-potentially-dangerous-information-using-helmet-hidepoweredby
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# --description--
|
|
|
|
|
|
2021-07-16 11:03:16 +05:30
|
|
|
請注意,本項目在[這個 Repl.it 項目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基礎上進行開發。你也可以從 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
|
2021-05-05 10:13:49 -07:00
|
|
|
|
2021-07-16 11:03:16 +05:30
|
|
|
如果黑客發現你的網站是用 Express 搭建的,那麼他們就可以利用 Express 或 Node 現存的漏洞來攻擊你的網站。 `X-Powered-By: Express` 默認在來自 Express 的每個請求中被髮送。 使用 `helmet.hidePoweredBy()` 中間件來移除 X-Powered-By 頭。
|
2021-05-05 10:13:49 -07:00
|
|
|
|
|
|
|
|
# --hints--
|
|
|
|
|
|
2021-07-16 11:03:16 +05:30
|
|
|
應正確地安裝 helmet.hidePoweredBy() 中間件
|
2021-05-05 10:13:49 -07:00
|
|
|
|
|
|
|
|
```js
|
|
|
|
|
(getUserInput) =>
|
|
|
|
|
$.get(getUserInput('url') + '/_api/app-info').then(
|
|
|
|
|
(data) => {
|
|
|
|
|
assert.include(data.appStack, 'hidePoweredBy');
|
|
|
|
|
assert.notEqual(data.headers['x-powered-by'], 'Express');
|
|
|
|
|
},
|
|
|
|
|
(xhr) => {
|
|
|
|
|
throw new Error(xhr.responseText);
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# --solutions--
|
|
|
|
|
|
|
|
|
|
```js
|
|
|
|
|
/**
|
|
|
|
|
Backend challenges don't need solutions,
|
|
|
|
|
because they would need to be tested against a full working project.
|
|
|
|
|
Please check our contributing guidelines to learn more.
|
|
|
|
|
*/
|
|
|
|
|
```
|
