浏览 1k
比如说在nginx中配置 Allow-Methods和 Allow-Headers ,怎么知道网站支持哪些?
add_header Access-Control-Allow-Methods 'GET,POST';
add_header Access-Control-Allow-Headers '*';
add_header Access-Control-Allow-Credentials 'true';
# JD 可以看到 运行所有( Access-Control-Allow-Origin: *)
curl -I -XGET www.jd.com
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 07 Jan 2021 08:09:52 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: https://www.jd.com/
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Trace: 302-1610006992561-0-0-0-0-0
Strict-Transport-Security: max-age=360
#淘宝没显示
curl -I -XPUT www.taobao.com
HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Thu, 07 Jan 2021 08:11:31 GMT
Content-Type: text/html
Content-Length: 278
Connection: keep-alive
Location: https://www.taobao.com/
Via: cache10.cn2434[,0]
Timing-Allow-Origin: *
EagleId: 700f049e16100070914034934e
# QQ也没显示
curl -I -XGET www.qq.com
HTTP/1.1 302 Moved Temporarily
Server: ias/1.3.5_1.17.3
Date: Thu, 07 Jan 2021 08:11:58 GMT
Content-Type: text/html
Content-Length: 149
Connection: keep-alive
Location: https://www.qq.com/
curl -I -XDELETE www.qq.com
HTTP/1.1 302 Moved Temporarily
Server: ias/1.3.5_1.17.3
Date: Thu, 07 Jan 2021 08:12:10 GMT
Content-Type: text/html
Content-Length: 149
Connection: keep-alive
Location: https://www.qq.com/
按点赞数排序
按时间排序
RFC规范上定义的options方法,可以用于获取所有支持的method方法。
然而,这实际上会带来web安全问题,黑客很容易扫描到web框架的漏洞,比如有些老框架还在支持trace方法。因此,waf防火墙大都会拒绝options方法。
赞同1
回复
举报回答于2021-01-07 16:48
哦 明白了,那么意思是说 本身options方法是可以获取到allow信息,但是response被waf防火墙过滤了吗?
可是我在本地搭建了一个nginx,使用curl options 请求也没法拿到 allow相关信息。
0
回复举报回答于2021-01-08 02:16
点赞 0
浏览 485点赞 0浏览 207
微信公众号
加入微信群
