Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: deprecate ignoreJSON #2270

Merged
merged 2 commits into from Mar 27, 2018
Merged

docs: deprecate ignoreJSON #2270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0aa31e3
docs: deprecate ignoreJSON
dead-horse Mar 26, 2018
067fb91
Merge branch 'master' into deprecate-ignoreJSON
atian25 Mar 26, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 5 additions & 3 deletions docs/source/en/core/security.md
View file
Open in desktop
Expand Up @@ -350,7 +350,9 @@ module.exports = {
};
```

#### Ignore JSON request
#### Ignore JSON request(deprecated)

**Notice: this configure is deprecated, the attacker can bypass it through [flash and 307](https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/), please don't enable it in production environment!**

With security policy protection [SOP](https://en.wikipedia.org/wiki/Same-origin_policy), basically all modern browsers do not allow cross domain request when content-type is set to JSON, so we can just leave out JSON request.

Expand Down Expand Up @@ -426,7 +428,7 @@ OK

Then server sets an httpOnly Cookie `a` to 1, it is not possible to get it through the script in the browser environment.

Then we send a TRACE method request to the server with Cookie `curl -X TRACE -b a=1 -i http://127.0.0.1:7001`, and will get response below:
Then we send a TRACE method request to the server with Cookie `curl -X TRACE -b a=1 -i http://127.0.0.1:7001`, and will get response below:

```
HTTP/1.1 200 OK
Expand Down Expand Up @@ -592,7 +594,7 @@ So, if you use the Egg framework to develop web site developers, please be sure

For HTTPS, one should pay attention to is the HTTP transport security (HSTS) strictly, if you don't use HSTS, when a user input url in the browser without HTTPS, the browser will use HTTP access by default.

Framework provides `HSTS Strict-Transport-security`, this header will be opened by default, then let the HTTPS site not redirect to HTTP. If your site supports HTTPS, be sure to open it.If our Web site is an HTTP site, we need to close this header.
Framework provides `HSTS Strict-Transport-security`, this header will be opened by default, then let the HTTPS site not redirect to HTTP. If your site supports HTTPS, be sure to open it.If our Web site is an HTTP site, we need to close this header.

The configuration is as follows:

Expand Down
4 changes: 3 additions & 1 deletion docs/source/zh-cn/core/security.md
View file
Open in desktop
Expand Up @@ -343,7 +343,9 @@ module.exports = {
};
```

#### 忽略 JSON 请求
#### 忽略 JSON 请求(已废弃)

**注意:该选项已废弃,攻击者可以[通过 flash + 307 来攻破](https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/),请不要在生产环境打开改选项!**

在 [SOP](https://en.wikipedia.org/wiki/Same-origin_policy) 的安全策略保护下,基本上所有的现代浏览器都不允许跨域发起 content-type 为 JSON 的请求,因此我们可以直接放过类型的 JSON 格式的请求。

Expand Down