-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
如何关闭安全威胁csrf防范 #509
Comments
https://eggjs.org/zh-cn/faq.html#为什么会有-csrf-报错 // config/config.default.js
module.exports = {
security: {
csrf: {
enable: false,
},
},
}; |
看了上面的,我还以为是把下面的代码加到 module.exports = {
security: {
csrf: {
enable: false,
},
},
}; 结果并不是,看了#562才明白在哪改。 module.exports = appInfo => {
const config = {};
// should change to your own
config.keys = appInfo.name + '';
// add your config here
config.security = {
csrf: {
enable: false,
},
};
return config;
}; |
可是加进去后直接访问不到post地址了,直接返回{"message":"Not Found"} 'use strict';
/**
* @param {Egg.Application} app - egg application
*/
module.exports = app => {
const { router, controller } = app;
router.get('/', controller.home.index);
router.post('/postTest', controller.post.index);
}; /controller/post.js 'use strict';
const Controller = require('egg').Controller;
class TestController extends Controller {
async index(data) {
console.log(data)
this.ctx.body = 'tets';
}
}
module.exports = TestController; /config.default.js 'use strict';
module.exports = appInfo => {
const config = exports = {};
// use for cookie sign key, should change to your own and keep security
config.keys = appInfo.name + '_1524018239453_7529';
// add your config here
config.middleware = [];
config.security = {
csrf: {
enable: false,
},
};
return config;
}; |
我测试的时候怎么报404呢?同一个路由,接收改成get就ok,改成post就报404! |
I guess you forgot to config the post router |
@atian25 请问首次请求是post请求,客户端肯定是没有csrf token的,所以肯定会报错,这个问题应该怎么解决呢? |
@gaoshijun1993 正常用户访问肯定会先发起一个 GET 请求获取页面。直接发 POST 请求,可以认为是恶意请求了。 如果真有这种需求,做个类似 |
如果能通过 ajax 获取的话,那还不如直接关掉。。。 |
你没返回内容吧,在控制器里面加上试试this.ctx.body = { |
他很大可能是没有配置路由 |
这样不就是已经定义路由了吗?请问你说的配置是什么意思 |
提供最小可复现仓库再讨论 |
我也遇到类似情况,暂时发现post请求不带参数时可以正常返回,加了参数就会404 ,断点显示请求到了后端但是只到中间件没有跑到路由里面 |
一般这种情况是代码里有地方报错了…或者之前的配置没有热更新成功。 |
本地通过
curl
模拟POST请求提示
如何关闭安全威胁csrf防范?
配置
{app_root}/config/plugin.js
如下:not work.
The text was updated successfully, but these errors were encountered: