常见四种“头缺失或不安全”问题

常见的头缺失或不安全问题

1、“Content-Security-Policy”头缺失或不安全
2、“X-Content-Type-Options”头缺失或不安全
3、“X-XSS-Protection”头缺失或不安全
4、设置HTTP请求头(X-Frame-Options)

解决办法: 定义过滤器,并在启动类中添加注入

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class CorsFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) {
        // TODO Auto-generated method stub
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {
        if (request instanceof HttpServletRequest) {
            HttpServletResponse httpServletResponse = (HttpServletResponse) response;
   
            String origin = ((HttpServletRequest) request).getHeader("Origin");
            httpServletResponse.setHeader("Access-Control-Allow-Origin", origin);
            httpServletResponse.setHeader("Access-Control-Allow-Methods","POST, GET");//允许跨域的请求方式
            httpServletResponse.setHeader("Access-Control-Max-Age", "3600");//预检请求的间隔时间
            httpServletResponse.setHeader("Access-Control-Allow-Headers", "x-auth-token,Origin,Access-Token,X-Requested-With,Content-Type, Accept,token" );//允许跨域请求携带的请求头
            httpServletResponse.setHeader("Access-Control-Allow-Credentials","false");//若要返回cookie、携带seesion等信息则将此项设置我true

    	    httpServletResponse.setHeader("strict-transport-security","max-age=16070400; includeSubDomains");//简称为HSTS。它允许一个HTTPS网站,要求浏览器总是通过HTTPS来访问它
            httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self'; frame-ancestors 'self'; object-src 'none'");//这个响应头主要是用来定义页面可以加载哪些资源,减少XSS的发生
            httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");//互联网上的资源有各种类型,通常浏览器会根据响应头的Content-Type字段来分辨它们的类型。通过这个响应头可以禁用浏览器的类型猜测行为
            httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");//1; mode=block:启用XSS保护,并在检查到XSS攻击时,停止渲染页面
            httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");//SAMEORIGIN:不允许被本域以外的页面嵌入
        }
        
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
        // TODO Auto-generated method stub
    }
}
//bean注入
@Bean
    public FilterRegistrationBean corsFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new CorsFilter());
        registration.addUrlPatterns("/*");
        registration.setName("corsFilter");
        //将其注册在其他过滤器的前面
        registration.setOrder(0);
        return registration;
    }

HTML前端解决办法:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'"/>
<meta http-equiv="X-Content-Type-Options" content="nosniff" />
<meta http-equiv="X-XSS-Protection" content="1; mode=block" />
<meta http-equiv="X-Frame-Options" content="SAMEORIGIN">

你可能感兴趣的:(网络安全)