我已经浏览了我能找到的关于该主题的所有问题和博客,但我无法摆脱 x-powered-by: express。
这是我的应用程序,它的唯一功能是不显示“x-powered-by: express” header ,结合了我能够找到的关于如何执行此操作的所有建议。我已经分别尝试了每一个,但都没有效果:
"use strict";
var express = require("express");
var app = express();
app.set("x-powered-by", "your mum");
const helmet = require("helmet");
app.use(helmet());
const killHeader = (req, res, next) => {
res.removeHeader("X-Powered-By");
next();
};
app.get("/", killHeader, (req, res) => {
res.header("X-powered-by", "A sack of rats");
res.removeHeader("X-Powered-By");
res.send("Hello world without x-powered headers");
});
app.disable("x-powered-by");
app.listen(3000, function () {
console.log("Running");
});
我觉得我一定遗漏了一个关键信息,即 header 从何处生成和发送,因为在 Chrome 的网络选项卡中检查时,上述策略的组合不会产生差异。环境是windows,通过VSCode运行,但是我在Ubuntu的Ngix上遇到了同样的问题。
最佳答案
您必须从浏览器中获取缓存响应。尝试在 Chrome Dev Tools 上选中 disable cache 选项或使用隐身标签。默认情况下, Helm 中间件会删除 X-powered-by header 。以下代码
const express = require("express");
const app = express();
const helmet = require("helmet");
app.use(helmet());
app.get("/", (req, res) => {
res.send("Hello world without x-powered headers");
});
app.listen(3000, function () {
console.log("Running");
});
返回以下标题
HTTP/1.1 200 OK
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
Content-Length: 37
ETag: W/"25-CWR19lYRAgXhHOXfwllpUDHFWas"
Date: Mon, 19 Apr 2021 17:37:11 GMT
Connection: keep-alive
使用以下依赖版本进行测试
"dependencies": {
"express": "4.16.4",
"helmet": "3.21.2"
}
关于node.js - 无法删除 Node Express 中的 x-powered-by header ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67166472/