快递/ HelmetJS / CSP和Gzip资产

Question

我有一个快速应用程序托管一个反应网络应用程序。我正在使用HelmetJS帮助我的快速应用程序的安全。

我还将在可能的情况下返回gzipped资产。但是，由于向Express添加了头盔，所以在加载我的托管web应用程序时，我现在会遇到以下错误

Refused to execute script from 'http://localhost:3000/static/main.8bbec8980664a60606b0.min.js' because its MIME type ('application/gzip') is not executable, and strict MIME type checking is enabled.

我的快递应用程序如下..。

const express = require('express');
const helmet = require('helmet');
const path = require('path');
const app = express();

const POLICY_NONE = ["'none'"];
const POLICY_SELF = ["'self'"];

app.use(helmet());
app.use(helmet.referrerPolicy({ policy: 'same-origin' }))
app.use(
    helmet.contentSecurityPolicy({
        directives: {
            defaultSrc: POLICY_SELF,
            connectSrc: POLICY_SELF,
            fontSrc: POLICY_SELF,
            imgSrc: POLICY_SELF,
            manifestSrc: POLICY_SELF,
            mediaSrc: POLICY_SELF,
            objectSrc: POLICY_NONE,
            scriptSrc: POLICY_SELF,
            styleSrc: POLICY_SELF,
            workerSrc: POLICY_SELF,
            formAction: POLICY_SELF,
            frameAncestors: POLICY_NONE,
            blockAllMixedContent: true,
            upgradeInsecureRequests: false,
        }
    })
);

app.use((req, res, next) => {
    if (/\.(js|css)$/.test(req.url)) {
        req.url = req.url + '.gz';
        res.set('Content-Encoding', 'gzip');
    }
    next();
});
app.use(express.static(path.resolve(__dirname, '../dist')));

app.get('/healthz', (req, res) => res.send('OK'));
app.get('*', (req, res) =>
    res.sendFile(path.resolve(__dirname, '../dist/index.html'))
);

const PORT = process.env.SERVER_PORT || 3000;
const HOST = process.env.SERVER_HOST || '127.0.0.1';

app.listen(PORT);
console.log(`API started on ${HOST}:${PORT}`);

在dist文件夹中呈现的索引html如下所示

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <meta http-equiv="X-UA-Compatible" content="ie=edge">

    <title>
        Web App
    </title>
</head>

<body>
<div id="root"></div>
<script type="text/javascript" src="static/main.8bbec8980664a60606b0.min.js"></script></body>

</html>

如果我不戴头盔，这就很好了。如何配置头盔以允许仍然加载此文件？

Answer 1

您可以使用express-static-gzip包。它是一个Express中间件。它负责设置Content-Type头，以及其他事情，比如检查浏览器接受哪种编码。

示例：

var express = require("express");
var expressStaticGzip = require("express-static-gzip");
var app = express();

app.use("/", expressStaticGzip("/my/rootFolder/"));