logo标签列表

如何在serverless.yml中设置响应头?

javascriptamazon-web-serviceshttp-headershttpresponseserverless-framework
6

我有一个无服务器API,它与serverless框架版本1.25一起工作。

基于安全原因,我希望添加响应头。请帮我通过serverless.yml文件设置以下标题。为了安全起见是否需要添加此标题?

• Content-Security-Policy:包括default-src 'self'

• Strict-Transport-Security max-age=31536000; includeSubDomains; preload

• X-Content-Type-Options:nosniff

• X-XSS-Protection:1

• Cache-Control:max-age = 0; Expires = -1 或 Expires:Fri, 01 Jan 1990 00:00:00 GMT; no-cache,must-revalidate

下面是我的serverless应用程序serverless.yaml

service: myService
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
   getMyFunction:
     handler: handler.getMyFunction
     timeout: 30
     events:
      - http:
          method: get
          path: api/getMyFunction/v1
          integration: lambda
          cors: true
          authorizer:
            name: authorizerFunc
            identitySource: method.request.header.Token
            authorizationType: AWS_IAM
3个回答
5
你可以使用Lambda Proxy Integration。根据文档,当有人访问你的API端点时,你需要创建一个函数来运行。
例如:
module.exports.hello = function (event, context, callback) {
    console.log(event); // Contains incoming request data (e.g., query params, headers and more)

    const response = {
        statusCode: 200,
        headers: {
            "x-custom-header": "My Header Value"
        },
        body: JSON.stringify({ "message": "Hello World!" })
    };

    callback(null, response);
};

在你的serverless.yml文件中

functions:
 index:
   handler: handler.hello
   events:
     - http: GET hello
3

您使用Lambda Integration,因此必须将其放置在您的serverless.yml中。

service: myService
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
   getMyFunction:
     handler: handler.getMyFunction
     timeout: 30
     events:
      - http:
          method: get
          path: api/getMyFunction/v1
          integration: lambda
          cors: true
          authorizer:
            name: authorizerFunc
            identitySource: method.request.header.Token
            authorizationType: AWS_IAM
          response:
            headers:
              Content-Security-Policy: "'Include default-src 'self''"
              Strict-Transport-Security: "'max-age=31536000; includeSubDomains; preload'"
              X-Content-Type-Options: "'nosniff'"
              X-XSS-Protection: "'1'"
              Cache-Control: "'max-age=0; Expires=-1 or Expires: Fri, 01 Jan 1990 00:00:00 GMT; no-cache, must-revalidate'"

参考资料:https://serverless.com/framework/docs/providers/aws/events/apigateway#custom-response-headers

该文档介绍了如何在AWS API Gateway中配置自定义响应头。您可以使用Serverless Framework的events属性,通过声明性语法,在API网关中定义自定义响应头。

1
你推送的代码是正确的,但需要为该值添加“''”。我正在发布这个答案。 - Dharmesh Vasani
0
service: myService 
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
  getMyFunction:
   handler: handler.getMyFunction
   timeout: 30
   events:
    - http:
      method: get
      path: api/getMyFunction/v1
      integration: lambda
      cors: true
      authorizer:
        name: authorizerFunc
        identitySource: method.request.header.Token
        authorizationType: AWS_IAM
      response:
        headers:
          Content-Security-Policy: "'Include default-src 'self''"
          Strict-Transport-Security: "'max-age=31536000; includeSubDomains; preload'"
          X-Content-Type-Options: "'nosniff'"
          X-XSS-Protection: "'1'"
          Cache-Control: "'max-age=0; Expires=-1 or Expires: Fri, 01 Jan 1990 00:00:00 GMT; no-cache, must-revalidate'"
1
最新版本的无服务器不喜欢这样,无服务器:在“functions.login.events [1] .httpApi”处:未识别的属性“cors” 无服务器:在“functions.login.events [1] .httpApi”处:未识别的属性“response” - J. Doe
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接