Secure Headers 中间件

Secure Headers 中间件可简化安全响应头的配置。它借鉴了 Helmet 的能力，允许你按需启用或禁用特定的安全头。

导入

import { Hono } from 'hono'
import { secureHeaders } from 'hono/secure-headers'

用法

默认情况下即可使用推荐设置：

const app = new Hono()
app.use(secureHeaders())

如需关闭某些头部，可将对应选项设为 false：

const app = new Hono()
app.use(
  '*',
  secureHeaders({
    xFrameOptions: false,
    xXssProtection: false,
  })
)

也可以通过字符串覆盖默认值：

const app = new Hono()
app.use(
  '*',
  secureHeaders({
    strictTransportSecurity:
      'max-age=63072000; includeSubDomains; preload',
    xFrameOptions: 'DENY',
    xXssProtection: '1',
  })
)

支持的选项

每个选项都会映射到对应的响应头键值对。

选项	响应头	值	默认值
-	X-Powered-By	（删除该头）	True
contentSecurityPolicy	Content-Security-Policy	用法：见配置 Content-Security-Policy	No Setting
contentSecurityPolicyReportOnly	Content-Security-Policy-Report-Only	用法：见配置 Content-Security-Policy	No Setting
crossOriginEmbedderPolicy	Cross-Origin-Embedder-Policy	require-corp	False
crossOriginResourcePolicy	Cross-Origin-Resource-Policy	same-origin	True
crossOriginOpenerPolicy	Cross-Origin-Opener-Policy	same-origin	True
originAgentCluster	Origin-Agent-Cluster	?1	True
referrerPolicy	Referrer-Policy	no-referrer	True
reportingEndpoints	Reporting-Endpoints	用法：见配置 Content-Security-Policy	No Setting
reportTo	Report-To	用法：见配置 Content-Security-Policy	No Setting
strictTransportSecurity	Strict-Transport-Security	max-age=15552000; includeSubDomains	True
xContentTypeOptions	X-Content-Type-Options	nosniff	True
xDnsPrefetchControl	X-DNS-Prefetch-Control	off	True
xDownloadOptions	X-Download-Options	noopen	True
xFrameOptions	X-Frame-Options	SAMEORIGIN	True
xPermittedCrossDomainPolicies	X-Permitted-Cross-Domain-Policies	none	True
xXssProtection	X-XSS-Protection	0	True
permissionPolicy	Permissions-Policy	用法：见配置 Permission-Policy	No Setting

中间件冲突

如果多个中间件会修改同一个头部，需要注意执行顺序。

如下所示，Secure Headers 先执行，会移除 x-powered-by：

const app = new Hono()
app.use(secureHeaders())
app.use(poweredBy())

而以下顺序会先执行 Powered-By，再由 Secure Headers 保留其结果：

const app = new Hono()
app.use(poweredBy())
app.use(secureHeaders())

配置 Content-Security-Policy

const app = new Hono()
app.use(
  '/test',
  secureHeaders({
    reportingEndpoints: [
      {
        name: 'endpoint-1',
        url: 'https://example.com/reports',
      },
    ],
    // 或者使用 reportTo
    // reportTo: [
    //   {
    //     group: 'endpoint-1',
    //     max_age: 10886400,
    //     endpoints: [{ url: 'https://example.com/reports' }],
    //   },
    // ],
    contentSecurityPolicy: {
      defaultSrc: ["'self'"],
      baseUri: ["'self'"],
      childSrc: ["'self'"],
      connectSrc: ["'self'"],
      fontSrc: ["'self'", 'https:', 'data:'],
      formAction: ["'self'"],
      frameAncestors: ["'self'"],
      frameSrc: ["'self'"],
      imgSrc: ["'self'", 'data:'],
      manifestSrc: ["'self'"],
      mediaSrc: ["'self'"],
      objectSrc: ["'none'"],
      reportTo: 'endpoint-1',
      sandbox: ['allow-same-origin', 'allow-scripts'],
      scriptSrc: ["'self'"],
      scriptSrcAttr: ["'none'"],
      scriptSrcElem: ["'self'"],
      styleSrc: ["'self'", 'https:', "'unsafe-inline'"],
      styleSrcAttr: ['none'],
      styleSrcElem: ["'self'", 'https:', "'unsafe-inline'"],
      upgradeInsecureRequests: [],
      workerSrc: ["'self'"],
    },
  })
)

`nonce` 属性

可通过从 hono/secure-headers 导入的 NONCE 常量，在 scriptSrc 或 styleSrc 中添加 nonce 属性：

tsx

import { secureHeaders, NONCE } from 'hono/secure-headers'
import type { SecureHeadersVariables } from 'hono/secure-headers'

// 指定变量类型，以便推断 `c.get('secureHeadersNonce')`
type Variables = SecureHeadersVariables

const app = new Hono<{ Variables: Variables }>()

// 为 scriptSrc 设置预定义的 nonce 值：
app.get(
  '*',
  secureHeaders({
    contentSecurityPolicy: {
      scriptSrc: [NONCE, 'https://allowed1.example.com'],
    },
  })
)

// 在处理器中读取 `c.get('secureHeadersNonce')`：
app.get('/', (c) => {
  return c.html(
    <html>
      <body>
        {/** contents */}
        <script
          src='/js/client.js'
          nonce={c.get('secureHeadersNonce')}
        />
      </body>
    </html>
  )
})

若希望自行生成 nonce，可传入函数：

tsx

const app = new Hono<{
  Variables: { myNonce: string }
}>()

const myNonceGenerator: ContentSecurityPolicyOptionHandler = (c) => {
  // 每次请求都会调用此函数
  const nonce = Math.random().toString(36).slice(2)
  c.set('myNonce', nonce)
  return `'nonce-${nonce}'`
}

app.get(
  '*',
  secureHeaders({
    contentSecurityPolicy: {
      scriptSrc: [myNonceGenerator, 'https://allowed1.example.com'],
    },
  })
)

app.get('/', (c) => {
  return c.html(
    <html>
      <body>
        {/** contents */}
        <script src='/js/client.js' nonce={c.get('myNonce')} />
      </body>
    </html>
  )
})

配置 Permission-Policy

Permission-Policy 头可用来控制浏览器对特性与 API 的访问。示例如下：

const app = new Hono()
app.use(
  '*',
  secureHeaders({
    permissionsPolicy: {
      fullscreen: ['self'], // fullscreen=(self)
      bluetooth: ['none'], // bluetooth=(none)
      payment: ['self', 'https://example.com'], // payment=(self "https://example.com")
      syncXhr: [], // sync-xhr=()
      camera: false, // camera=none
      microphone: true, // microphone=*
      geolocation: ['*'], // geolocation=*
      usb: ['self', 'https://a.example.com', 'https://b.example.com'], // usb=(self "https://a.example.com" "https://b.example.com")
      accelerometer: ['https://*.example.com'], // accelerometer=("https://*.example.com")
      gyroscope: ['src'], // gyroscope=(src)
      magnetometer: [
        'https://a.example.com',
        'https://b.example.com',
      ], // magnetometer=("https://a.example.com" "https://b.example.com")
    },
  })
)

Secure Headers 中间件 ​

导入 ​

用法 ​

支持的选项 ​

中间件冲突 ​

配置 Content-Security-Policy ​

nonce 属性 ​

配置 Permission-Policy ​