项目安全扫描,扫到以下问题。
-
检测到目标URL存在客户端(Javascript)cookie引用
-
检测到目标Strict-Transport-Security响应头缺失
-
检测到目标Referrer-Policy响应头缺失
-
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
-
检测到目标X-Download-Options响应头缺失
-
点击劫持:X-frame-Options未配置
设置统一过滤器,过滤所有请求,设置以上响应头,即可解决问题。
~~~java
@WebFilter(urlPatterns = "/*", filterName = "responseHeadFilter")
public class ResponseHeadFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException, IOException {
//增加响应头缺失代码
HttpServletRequest req=(HttpServletRequest)request;
HttpServletResponse res=(HttpServletResponse)response;
res.addHeader("X-frame-Options","SAMEORIGIN");
res.addHeader("Referrer-Policy","origin");
res.addHeader("Content-Security-Policy","object-src 'self'");
res.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
res.addHeader("X-Content-Type-Options","nosniff");
res.addHeader("X-XSS-Protection","1; mode=block");
res.addHeader("X-Download-Options","noopen");
res.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");
//处理cookie问题
cookie[] cookies = req.getcookies();
if (cookies != null) {
for (cookie cookie : cookies) {
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append(cookie.getName()+"="+value+";");
builder.append("Secure;");//cookie设置Secure标识
builder.append("HttpOnly;");//cookie设置Httponly
res.addHeader("Set-cookie", builder.toString());
}
}
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
~~~
