在我的Django应用程序中,以下设置确保响应头启用了标准键值对
但是,“服务器”名称和版本信息在默认情况下仍然可见,需要隐藏(暴露的服务器名称和版本是OWASP漏洞)
class MyAppMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
response['X-XSS-Protection'] = "1; mode=block"
return response
class RemoveHeaders(object): # this method invocation throws error
def process_response(self, request, response):
response['Server'] = ''
return response
正如在其他文章中所建议的,这个middleware.py是在settings.py中的middleware的第一个顺序中声明的:
MIDDLEWARE = [
'MyApp.middleware.RemoveHeaders',
'MyApp.middleware.MyAppMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
RemoveHeaders()方法抛出错误:TypeError:RemoveHeaders()不接受任何参数。这是因为我不确定将哪个对象传递给此方法
更新:导入以下内容对我有效。
from django.utils.deprecation import MiddlewareMixin
# class to import in RemoveHeaders--
class RemoveHeaders(MiddlewareMixin):
# rest of the code
@stackoverflowusrone我从django v3.7源代码中找到了这个,服务器头来自这里:
但是我不知道如何删除它
相关问题 更多 >
编程相关推荐