Skip to content

Commit

Permalink
docs: deprecate ignoreJSON (#2270)
Browse files Browse the repository at this point in the history
  • Loading branch information
dead-horse authored Mar 27, 2018
1 parent a86334c commit c3586ea
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
8 changes: 5 additions & 3 deletions docs/source/en/core/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,9 @@ module.exports = {
};
```

#### Ignore JSON request
#### Ignore JSON request(deprecated)

**Notice: this configure is deprecated, the attacker can bypass it through [flash and 307](https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/), please don't enable it in production environment!**

With security policy protection [SOP](https://en.wikipedia.org/wiki/Same-origin_policy), basically all modern browsers do not allow cross domain request when content-type is set to JSON, so we can just leave out JSON request.

Expand Down Expand Up @@ -426,7 +428,7 @@ OK

Then server sets an httpOnly Cookie `a` to 1, it is not possible to get it through the script in the browser environment.

Then we send a TRACE method request to the server with Cookie `curl -X TRACE -b a=1 -i http://127.0.0.1:7001`, and will get response below:
Then we send a TRACE method request to the server with Cookie `curl -X TRACE -b a=1 -i http://127.0.0.1:7001`, and will get response below:

```
HTTP/1.1 200 OK
Expand Down Expand Up @@ -592,7 +594,7 @@ So, if you use the Egg framework to develop web site developers, please be sure

For HTTPS, one should pay attention to is the HTTP transport security (HSTS) strictly, if you don't use HSTS, when a user input url in the browser without HTTPS, the browser will use HTTP access by default.

Framework provides `HSTS Strict-Transport-security`, this header will be opened by default, then let the HTTPS site not redirect to HTTP. If your site supports HTTPS, be sure to open it.If our Web site is an HTTP site, we need to close this header.
Framework provides `HSTS Strict-Transport-security`, this header will be opened by default, then let the HTTPS site not redirect to HTTP. If your site supports HTTPS, be sure to open it.If our Web site is an HTTP site, we need to close this header.

The configuration is as follows:

Expand Down
4 changes: 3 additions & 1 deletion docs/source/zh-cn/core/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,9 @@ module.exports = {
};
```

#### 忽略 JSON 请求
#### 忽略 JSON 请求(已废弃)

**注意:该选项已废弃,攻击者可以[通过 flash + 307 来攻破](https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/),请不要在生产环境打开改选项!**

[SOP](https://en.wikipedia.org/wiki/Same-origin_policy) 的安全策略保护下,基本上所有的现代浏览器都不允许跨域发起 content-type 为 JSON 的请求,因此我们可以直接放过类型的 JSON 格式的请求。

Expand Down

0 comments on commit c3586ea

Please sign in to comment.