AppScan安全扫描：常见header头安全问题处理

1、nginx配置添加一下代码：

add_header X-Frame-Options 'SAMEORIGIN'; # 只允许本站用 frame 来嵌套
add_header X-XSS-Protection '1; mode=block'; # XSS 保护
add_header X-Content-Type-Options 'nosniff';#响应头可以禁用浏览器的类型猜测行为
add_header Strict-Transport-Security 'max-age=63072000;includeSubDomains';
 
配置如下：
location /cas/ {
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header REMOTE-HOST $remote_addr;
			add_header X-Frame-Options 'SAMEORIGIN'; # 只允许本站用 frame 来嵌套
			add_header X-XSS-Protection '1; mode=block'; # XSS 保护
			add_header X-Content-Type-Options 'nosniff';#响应头可以禁用浏览器的类型猜测行为
			add_header Strict-Transport-Security 'max-age=63072000;includeSubDomains';
			proxy_pass http://serVer/cas/;
			proxy_redirect default;
		}

2、jsp中java代码

//
					response.setHeader("X-Frame-Options", "DENY");
					//
					response.setHeader("Content-Security-Policy", "child-src http: https:");
					//
					response.setHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains");
					//
					response.setHeader("X-Content-Type-Options", "nosniff");
					response.setHeader("X-XSS-Protection", "1; mode=block");
					//
					response.setHeader("Cache-Control", "no-store");
					response.setHeader("Pragma", "no-cache");
					response.setDateHeader("Expires", 0);

3、jsp、html前端代码