以下函数查看器响应函数将几个常见的安全相关 HTTP 标头添加到响应中。有关更多信息,请参阅 MDN Web Docs 文档中的以下页面:
Strict-Transport-Security
Content-Security-Policy
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection
在 GitHub 上查看此示例。
async function handler(event) { const response = event.response; const headers = response.headers; // Set HTTP security headers // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; headers['referrer-policy'] = {value: 'same-origin'}; // Return the response to viewers return response; }
function handler(event) { var response = event.response; var headers = response.headers; // Set HTTP security headers // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; // Return the response to viewers return response; }
Javascript 在您的浏览器中被禁用或不可用。
要使用 Amazon Web Services 文档,必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。
感谢您对我们工作的肯定!
如果不耽误您的时间,请告诉我们做得好的地方,让我们做得更好。
感谢您告诉我们本页内容还需要完善。很抱歉让您失望了。
如果不耽误您的时间,请告诉我们如何改进文档。