发布:2023/12/7 15:49:41作者:大数据 来源:大数据 浏览次数:676
1.问题展示
网站安全漏洞扫描、应用系统项目安全扫描,扫到以下问题。
检测到目标URL存在客户端(JavaScript)Cookie引用
检测到目标Strict-Transport-Security响应头缺失
检测到目标Referrer-Policy响应头缺失
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
检测到目标X-Download-Options响应头缺失
点击劫持:X-Frame-Options未配置
2. 解决问题
设置统一过滤器,过滤所有请求,设置以上响应头,即可解决问题。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
~~~java /** * @author ZQQ * @version 1.0 * @date 2021/9/22 15:54 * @desc : */ @WebFilter(urlPatterns = "/*", filterName = "responseHeadFilter") public class ResponseHeadFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException, IOException { //增加响应头缺失代码 HttpServletRequest req=(HttpServletRequest)request; HttpServletResponse res=(HttpServletResponse)response; res.addHeader("X-Frame-Options","SAMEORIGIN"); res.addHeader("Referrer-Policy","origin"); res.addHeader("Content-Security-Policy","object-src 'self'"); res.addHeader("X-Permitted-Cross-Domain-Policies","master-only"); res.addHeader("X-Content-Type-Options","nosniff"); res.addHeader("X-XSS-Protection","1; mode=block"); res.addHeader("X-Download-Options","noopen"); res.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload"); //处理cookie问题 Cookie[] cookies = req.getCookies(); if (cookies != null) { for (Cookie cookie : cookies) { String value = cookie.getValue(); StringBuilder builder = new StringBuilder(); builder.append(cookie.getName()+"="+value+";"); builder.append("Secure;");//Cookie设置Secure标识 builder.append("HttpOnly;");//Cookie设置HttpOnly res.addHeader("Set-Cookie", builder.toString()); } } chain.doFilter(request, response); } @Override public void destroy() { } } ~~~ |
————————————————
版权声明:本文为CSDN博主「这把躺赢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/zqqiang0307/article/details/120905725
IIS解决问题如下:设置web.config,参考以下对应代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
<?xml version="1.0" encoding="utf-8"?> <configuration> <location path="." inheritInChildApplications="false"> <system.webServer> <handlers> <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" /> </handlers> <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" /> <!--begin::安全配置--> <security> <requestFiltering> <requestLimits> <headerLimits> <add header="Content-type" sizeLimit="100" /> </headerLimits> </requestLimits> </requestFiltering> </security> <!--end::安全配置--> </system.webServer> </location> <!--begin::安全配置--> <system.applicationHost> <webLimits connectionTimeout="00:00:30" dynamicIdleThreshold="150" headerWaitTimeout="00:00:10" minBytesPerSecond="512" /> </system.applicationHost> <system.webServer> <httpProtocol> <customHeaders> <clear /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="X-XSS-Protection" value="1" /> <add name="Content-Security-Policy" value="object-src 'self'" /> <add name="Strict-Transport-Security" value="max-age=63072000; includeSubdomains; preload" /> <add name="Referrer-Policy" value="origin" /> <add name="X-Permitted-Cross-Domain-Policies" value="master-only" /> <add name="X-Download-Options" value="noopen" /> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> </system.webServer> <!--end::安全配置--> </configuration> <!--ProjectGuid: d1d2180b-166b-415f-a3cc-1323b60e954c--> |
可以添加<clear />,如上代码
IIS7.5上在站点下部署虚拟目录,访问虚拟目录下的项目提示与父节点配置冲突导致。
即通过修改根目录的Web.config消除继承关系,在根目录Web.config文件的system.web或者一切不想让子目录继承的配置节点外面添加一层location如下:
1 2 3 4 5 6 7 |
<configuration> <location path="." inheritInChildApplications="false"> <system.web> </system.web> </location> </configuration> |
inheritInChildApplications
,即是否允许子目录继承,默认为true,我们修改为false就可以避免继承了。这种方法的优点是很简单,但是不够灵活。
不用修改根目录的Web.config文件,而是修改子目录的Web.config。假设根目录的Web.config设置了一个名为pscp的连接字符串,要在子目录使用另一个名字为pscp的连接字符串,就需要先清除已有的连接字符串(根目录继承下来的connectionString设置);
清除所有的配置,可以用clear
语法,清除指定名称的配置,可以用remove
语法,如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<configuration> <configSections> <remove name="casClientConfig"/> </configSections> <connectionStrings> <clear/> <add name="pscp" connectionString="xxx"/> </connectionStrings> <system.webServer> <staticContent> <remove fileExtension=".properties" /> <mimeMap fileExtension=".properties" mimeType="text/x-java-properties" /> </staticContent> </system.webServer> </configuration> |
注意上面的<clear />和<remove ... />用法
© Copyright 2014 - 2024 柏港建站平台 ejk5.com. 渝ICP备16000791号-4