Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: optimize README in English #99

Merged
merged 1 commit into from
Jul 3, 2024
Merged

chore: optimize README in English #99

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ exports.security = {

### Disable security precautions

If you want to disable some security precautions, set `enable` porperty to 'false' directly.
To disable some security precautions, set `enable` property to 'false' directly.

For example, disable xframe defense:

Expand Down Expand Up @@ -96,7 +96,7 @@ There are times when we want to be more flexible to configure security plugins.F
1. To decide whether to enable or disable the xframe security header from the context of the request.
2. To decide csp policies from different request urls.

Then we can configure `ctx.securityOptions[name] opts` in the custom middleware or controller,then the current request configuration will overrides the default configuration (new configuration will be merged and override the default project configuration, but only take effect in the current request)
Then we can configure `ctx.securityOptions[name] opts` in the custom middleware or controller, then the current request configuration will override the default configuration (new configuration will be merged and override the default project configuration, but only take effect in the current request)

```js
async ctx => {
Expand All @@ -112,7 +112,7 @@ async ctx => {
}
```

Not all security plugins support dynamic configuration, only following plugins list support
Not all security plugins support dynamic configuration, only the following plugins list support

- csp
- hsts
Expand Down Expand Up @@ -391,9 +391,9 @@ ${helper.shtml($html)}
```

Commonly used `data-xx` property is not in the whitelist, so it will be filtered.
So please check the applicable scenarios for `shtml`, it usually used for richtext submmited by user.
So please check the applicable scenarios for `shtml`, it is usually used for rich-text submitted by user.

A usage error will limit functions, also affect the performance of the server.
A usage error will limit functions, and also affect the performance of the server.
Such scenes are generally forums, comments, etc.

Even if the forum does not support the HTML content input, do not use this helper, you can directly use `escape` instead.
Expand Down Expand Up @@ -480,7 +480,7 @@ console.log(cmd);

## Security Headers

Refer to [lusca](https://github.com/krakenjs/lusca), appriciate for their works.
Refer to [lusca](https://github.com/krakenjs/lusca), appreciate their work.

### hsts Strict-Transport-Security

Expand All @@ -491,27 +491,27 @@ Disabled by default. If your website based on https, we recommend you should ena

### csp

Default disabled. If you need to enable, please contact your security engineers and determine the opening strategy
Default disabled. If you need to enable it, please contact your security engineers and determine the opening strategy

- policy policies used by csp

### X-Download-Options:noopen

Default enabled, disable IE download dialog automatically open download file and will cause XSS
Default enabled, disable IE download dialog automatically opens download file and will cause XSS

### X-Content-Type-Options:nosniff

Disable IE8's auto MIME sniffing. E.g: take `text/plain` as `text/html` by mistake and render it, especially when there's something untrusted in the local service.
Disable IE8's auto MIME sniffing. E.g.: take `text/plain` as `text/html` by mistake and render it, especially when there's something untrusted in the local service.

### X-Frame-Options

Defaulting to "SAMEORIGIN", only allow iframe embed by same origin.
Defaulting to "SAMEORIGIN", only allows iframe to embed by the same origin.

- value Defaulting to `SAMEORIGIN`

### X-XSS-Protection

- disable Defaulting to `false`same as `1; mode=block`.
- disable Defaulting to `false`, the same as `1; mode=block`.

### SSRF Protection

Expand All @@ -521,21 +521,21 @@ In a [Server-Side Request Forgery (SSRF)](https://www.owasp.org/index.php/Server

#### Configuration

- ipBlackList(Array) - specific which ip are illegal when request with `safeCurl`.
- ipExceptionList(Array) - specific which ip are legal within ipBlackList.
- ipBlackList(Array) - specific which IP addresses are illegal when requested with `safeCurl`.
- ipExceptionList(Array) - specific which IP addresses are legal within ipBlackList.
- checkAddress(Function) - determine the ip by the function's return value, `false` means illegal ip.

```js
// config/config.default.js
exports.security = {
ssrf: {
// support both cidr subnet or specific ip
// support both cidr subnet or specific IP
ipBlackList: [
'10.0.0.0/8',
'127.0.0.1',
'0.0.0.0/32',
],
// support both cidr subnet or specific ip
// support both cidr subnet or specific IP
ipExceptionList: [
'10.1.1.1',
'10.10.0.1/24',
Expand Down
Loading