敏感的标头


HTTP2 标头可以标记为敏感,这意味着 HTTP/2 标头压缩算法永远不会索引它们。 这对于低熵的标头值是有意义的,并且可能被认为对攻击者有价值,例如 CookieAuthorization。 要实现这一点,请将标头名称作为数组添加到 [http2.sensitiveHeaders] 属性中:

const headers = {
  ':status': '200',
  'content-type': 'text-plain',
  'cookie': 'some-cookie',
  'other-sensitive-header': 'very secret data',
  [http2.sensitiveHeaders]: ['cookie', 'other-sensitive-header']
};

stream.respond(headers);

对于某些标头,例如 Authorization 和短 Cookie 标题,此标志会自动设置。

此属性也为接收到的标头设置。 它将包含所有标记为敏感的标头的名称,包括自动标记为敏感的标头。

HTTP2 headers can be marked as sensitive, which means that the HTTP/2 header compression algorithm will never index them. This can make sense for header values with low entropy and that may be considered valuable to an attacker, for example Cookie or Authorization. To achieve this, add the header name to the [http2.sensitiveHeaders] property as an array:

const headers = {
  ':status': '200',
  'content-type': 'text-plain',
  'cookie': 'some-cookie',
  'other-sensitive-header': 'very secret data',
  [http2.sensitiveHeaders]: ['cookie', 'other-sensitive-header']
};

stream.respond(headers);

For some headers, such as Authorization and short Cookie headers, this flag is set automatically.

This property is also set for received headers. It will contain the names of all headers marked as sensitive, including ones marked that way automatically.