gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
61460c8601a1227201ffc809866da7c6cf83f733
freeCodeCamp/curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-clickjacking-with-helmet.frameguard.chinese.md
Oliver Eyton-Williams 61460c8601 fix: insert blank line after ``` 
search and replace ```\n< with ```\n\n< to ensure there's an empty line
before closing tags
2020-08-16 04:45:20 +05:30

2.1 KiB
Raw Blame History

id, title, challengeType, videoUrl, localeTitle
id title challengeType videoUrl localeTitle
587d8247367417b2b2512c38 Mitigate the Risk of Clickjacking with helmet.frameguard() 2 使用helmet.frameguard降低点击劫持的风险

Description

提醒一下,这个项目是基于Glitch的以下入门项目构建的,或者是从GitHub克隆的。未经您的同意,您的页面可以放在<frame><iframe> 。除其他外这可能导致点击劫持攻击。点击劫持是一种欺骗用户与不同于用户认为的页面进行交互的技术。这可以通过iframing在恶意上下文中执行您的页面获得。在这种情况下黑客可以在页面上放置隐藏层。隐藏按钮可用于运行错误的脚本。此中间件设置X-Frame-Options标头。它限制了谁可以将您的网站放在框架中。它有三种模式DENYSAMEORIGIN和ALLOW-FROM。我们不需要我们的应用程序框架。您应该使用配置对象{action: 'deny'}传递的helmet.frameguard()

Instructions

Tests

tests:
  - text: helmet.frameguard中间件应正确安装
    testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.include(data.appStack, 'frameguard', 'helmet.frameguard() middleware is not mounted correctly'); }, xhr => { throw new Error(xhr.responseText); })
  - text: helmet.frameguard'action'应该设置为'DENY'
    testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.property(data.headers, 'x-frame-options'); assert.equal(data.headers['x-frame-options'], 'DENY');}, xhr => { throw new Error(xhr.responseText); })

Challenge Seed

Solution

// solution required

/section>