禁用 OPTIONS 请求

背景:

渗透测试结果为 不安全的HTTP方法 OPTIONS


描述

验证

curl -v -X OPTIONS http://localhost/xcall/token/refresh?_t=1689589608

禁用 OPTIONS 请求_第1张图片


解决方案(2选1):

1.spring项目加上:


import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfig {

    @Bean
    public ConfigurableServletWebServerFactory configurableServletWebServerFactory() {
        TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
        factory.addContextCustomizers(context -> {
            SecurityConstraint securityConstraint = new SecurityConstraint();
            securityConstraint.setUserConstraint("CONFIDENTIAL");
            SecurityCollection collection = new SecurityCollection();
            collection.addPattern("/*");
            collection.addMethod("HEAD");
//            collection.addMethod("PUT");
//            collection.addMethod("DELETE");
            collection.addMethod("OPTIONS");
            collection.addMethod("TRACE");
            collection.addMethod("COPY");
            collection.addMethod("SEARCH");
            collection.addMethod("PROPFIND");
            securityConstraint.addCollection(collection);
            context.addConstraint(securityConstraint);
        });
        return factory;
    }

}

nginx配置

在 nginx.conf 配置文件中,增加如下内容:

		if ($request_method ~* OPTIONS) {
				return 403;
		}

禁用 OPTIONS 请求_第2张图片
别忘了重启nginx

/usr/local/nginx/sbin -s reload
 
 
systemctl restart nginx
 
 

测试修复结果

tomcat 返回
禁用 OPTIONS 请求_第3张图片
nginx返回

禁用 OPTIONS 请求_第4张图片

你可能感兴趣的:(nginx,java,tomcat,java,nginx)