代理服务器背后的Node.js安全厨师和HTTPOnly
在具有安全cookie和代理服务器后的HTTPOnly的Node.js中. HttpOnly标志和带有Secure标志的Cookie如何将其标头发送到代理服务器?
In Nodejs with secure cookie and HTTPOnly behind a proxy server. How does HttpOnly flag and Cookie with Secure flag send it headers to proxy server?
我一直在阅读并且假设我需要在代理服务器上启用X-Forward-Proto?
I have been reading and assume I need to enable X-Forward-Proto on my proxy server?
process.env.NODE_ENV = 'production';
if (app.get('env') === 'production') {
app.set('trust proxy', 1) // trust first proxy
}
app.use(session({
store: new RedisStore({host: '127.0.0.1', port: 6379, client: client, ttl: 3600}),
key: 'sid',
secret: 'abcde',
resave: false,
saveUninitialized: false,
// proxy: true,
cookie: {
secure: true,
httpOnly: true,
maxAge: 3600000
}
}));
我遇到了类似的问题,并在本教程.
I had a similar problem and solved it with the help of this tutorial.
您还需要在会话配置中将proxy选项设置为true.
我建议使用环境变量表达式process.env.NODE_ENV === "production"进行此操作.
You also need to set the proxy option to true in your session config.
I would suggest doing this with an environment variable expression process.env.NODE_ENV === "production".
app.use(session({
store: new RedisStore({host: '127.0.0.1', port: 6379, client: client, ttl: 3600}),
key: 'sid',
secret: 'abcde',
resave: false,
saveUninitialized: false,
proxy: process.env.NODE_ENV === "production",
cookie: {
secure: process.env.NODE_ENV === "production",
httpOnly: true,
maxAge: 3600000
}
}));
从 express-session 文档中:
代理
设置安全Cookie(通过"X-Forwarded-Proto"标头)时信任反向代理.
Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header).
默认值为未定义.
true将使用"X-Forwarded-Proto"标头.
true The "X-Forwarded-Proto" header will be used.