敏感标头

【Sensitive headers】

HTTP2 头可以被标记为敏感，这意味着 HTTP/2 头压缩算法永远不会对它们建立索引。这对于那些熵低且可能对攻击者有价值的头值是有意义的，例如 Cookie 或 Authorization。要实现这一点，将头名称作为数组添加到 [http2.sensitiveHeaders] 属性中：

【HTTP2 headers can be marked as sensitive, which means that the HTTP/2 header compression algorithm will never index them. This can make sense for header values with low entropy and that may be considered valuable to an attacker, for example Cookie or Authorization. To achieve this, add the header name to the [http2.sensitiveHeaders] property as an array:】

const headers = {
  ':status': '200',
  'content-type': 'text-plain',
  'cookie': 'some-cookie',
  'other-sensitive-header': 'very secret data',
  [http2.sensitiveHeaders]: ['cookie', 'other-sensitive-header'],
};

stream.respond(headers); 拷贝

对于某些头，例如 Authorization 和短的 Cookie 头，该标志会自动设置。

【For some headers, such as Authorization and short Cookie headers, this flag is set automatically.】

此属性也适用于接收到的头部。它将包含所有被标记为敏感的头部名称，包括那些自动标记为敏感的头部。

【This property is also set for received headers. It will contain the names of all headers marked as sensitive, including ones marked that way automatically.】

对于原始头，这仍然应作为数组的一个属性设置，例如 rawHeadersArray[http2.sensitiveHeaders] = ['cookie']，而不是在数组本身内作为单独的键值对。

【For raw headers, this should still be set as a property on the array, like rawHeadersArray[http2.sensitiveHeaders] = ['cookie'], not as a separate key and value pair within the array itself.】