如何在Azure App Service Linux上设置X-Content-Type-Options？

Question

我在Azure app Service Linux上部署了一个Angular2 web应用。我运行OWASP ZAP攻击我的网站，它警告X-Content-Type-Options头文件丢失。我在etc/中查找httpd文件以设置X-Content-Type-Options = 'nosniff‘，但我找不到它。我假设web应用程序在Apache上运行。

参考资料：

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Answer 1

我们通过将两个文件ecosystem.config.js和serve.json作为我们部署的工件的一部分来解决这个问题。

ecosystem.config.js

// https://burkeknowswords.com/this-is-how-to-easily-deploy-a-static-site-to-azure-96c77f0301ff
// Use PM2 to serve files on Linux App Service
module.exports = {
    apps: [
        {
            script: "npx serve -s"
        }
    ]
};

serve.json

{
    "headers": [
        {
            "source" : "**",
            "headers" : [
                {
                    "key" : "X-Content-Type-Options",
                    "value" : "nosniff"
                },
                // more headers