如何在 Azure 应用服务 Linux 上设置 X-Content-Type-Options？

Question

我在 Azure 应用服务 Linux 上部署了一个 Angular2 网络应用。我 运行 OWASP ZAP 攻击我的网站，它警告 X-Content-Type-Options Header 丢失。我在 etc/ 中寻找 httpd 文件来设置 X-Content-Type-Options = 'nosniff' 但我找不到它。我假设网络应用程序是 Apache 上的 运行。

参考：

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Answer 1

我们通过将 ecosystem.config.js 和 serve.json 这两个文件作为我们部署的工件的一部分解决了这个问题。

ecosystem.config.js

// https://burkeknowswords.com/this-is-how-to-easily-deploy-a-static-site-to-azure-96c77f0301ff
// Use PM2 to serve files on Linux App Service
module.exports = {
    apps: [
        {
            script: "npx serve -s"
        }
    ]
};

serve.json

{
    "headers": [
        {
            "source" : "**",
            "headers" : [
                {
                    "key" : "X-Content-Type-Options",
                    "value" : "nosniff"
                },
                // more headers