我正在尝试使用自定义快递服务器来包装Next.js应用,以Lusca保护Next应用。
/**
* Use a custom server with next to allow for custom routing using next-routes
* And additional security using lusca.
*/
const next = require('next');
const express = require('express');
const session = require('express-session');
const lusca = require('lusca');
const routes = require('./routes');
const app = next({ dev: process.env.NODE_ENV !== 'production' });
const handler = routes.getRequestHandler(app);
const configureApp = (server) => {
server.use(session({
secret: 'sososecret,
resave: true,
saveUninitialized: true,
}));
// security settings
server.use(lusca({
csrf: true,
csp: {
styleNonce: true,
scriptNonce: true,
policy: {
'default-src': "'self'",
},
},
xframe: 'SAMEORIGIN',
hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
xssProtection: true,
nosniff: true,
referrerPolicy: 'same-origin',
}));
return server;
};
app.prepare().then(() => {
const server = express();
configureApp(server).use(handler).listen(3000);
});
在我的页面中,我可以像这样获得res对象:
Home.getInitalProps = ({ res }) => {
// logs { _csrf: 'sXyxcN1T1Ssvmc227dDlylgYs240bDGtYtXzg=' }
console.log(res.locals);
return {nonce: res.locals.nonce };
}
但是当我这样做时,props.nonce是不确定的。这是因为nonce对象上不存在res。我也尝试过尝试req对象,但没有运气。我应该如何使用CSP的nonce选项?