在我的NodeJS HTTP服务器上运行nmap
:
nmap -p 443 --script http-methods localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-28 11:26 BST
Nmap scan report for localhost
Host is up (0.00051s latency).
PORT STATE SERVICE
443/tcp open https
| http-methods: ACL BIND CHECKOUT CONNECT COPY DELETE GET HEAD LINK LOCK M-SEARC H MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH POST PROPFIND PROPPATCH PU RGE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
| Potentially risky methods: ACL BIND CHECKOUT CONNECT COPY DELETE LINK LOCK M-S EARCH MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH PROPFIND PROPPATCH PUR GE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
MAC Address: AB:CD:75:EF:A5:6D (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
所以我希望禁用其中一些方法,主要是在"潜在风险方法中:"名单。
这在Apache中非常简单,但我无法在NodeJS中看到任何方法。
This SO question谈论编辑Node的C源代码,但我并不是真的想要这样做。
The node docs显示了一个http.METHODS方法,但这只是一个get。
答案 0 :(得分:5)
询问NodeJS帮助github并从 bnoordhuis 获得此响应:
const allowedMethods = ['GET','HEAD','POST'];
function onrequest(req, res) {
if (!allowedMethods.includes(req.method))
return res.end(405, 'Method Not Allowed');
// ...
}