最佳答案
采用白名单方法
// before your other code check supported methods
// assuming these ones are, just add/remove ones to customize
if (!/^(GET|PUT|POST|DELETE)$/.test(req.method)) {
res.status(400).end('bad request');
return;
}
// your code goes here now
或如果使用 express,则使用中间件
router.use((req, res, next) => {
if (!/^(GET|PUT|POST|DELETE)$/.test(req.method)) {
res.status(400).end('bad request');
return;
}
next();
});
用唐纳德·拉姆斯菲尔德的话...
Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.
tl;dr 重要的是,您只能知道自己知道什么,所以请使用白名单。
关于http - Express - 如何阻止无效的 http 方法?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47340081/