2.1 KiB
2.1 KiB
id | title | challengeType | videoUrl | localeTitle |
---|---|---|---|---|
587d8247367417b2b2512c38 | Mitigate the Risk of Clickjacking with helmet.frameguard() | 2 | 使用helmet.frameguard()降低点击劫持的风险 |
Description
<frame>
或<iframe>
。除其他外,这可能导致点击劫持攻击。点击劫持是一种欺骗用户与不同于用户认为的页面进行交互的技术。这可以通过iframing在恶意上下文中执行您的页面获得。在这种情况下,黑客可以在页面上放置隐藏层。隐藏按钮可用于运行错误的脚本。此中间件设置X-Frame-Options标头。它限制了谁可以将您的网站放在框架中。它有三种模式:DENY,SAMEORIGIN和ALLOW-FROM。我们不需要我们的应用程序框架。您应该使用配置对象{action: 'deny'}
传递的helmet.frameguard()
。 Instructions
Tests
tests:
- text: helmet.frameguard()中间件应正确安装
testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.include(data.appStack, "frameguard", "helmet.frameguard() middleware is not mounted correctly"); }, xhr => { throw new Error(xhr.responseText); })'
- text: helmet.frameguard()'action'应该设置为'DENY'
testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.property(data.headers, "x-frame-options"); assert.equal(data.headers["x-frame-options"], "DENY");}, xhr => { throw new Error(xhr.responseText); })'
Challenge Seed
Solution
// solution required