测试抓包扫出有响应头缺失的漏洞,写了一个全局的拦截器,解决方案如下:
解决安全漏洞:检测到目标服务器启用了OPTIONS方法
点击劫持:X-Frame-Options未配置
检测到目标Referrer-Policy响应头缺失
Content-Security-Policy响应头确实
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
检测到目标X-Content-Type-Options响应头缺失
检测到目标X-XSS-Protection响应头缺失
检测到目标X-Download-Options响应头缺失
点击劫持:X-Frame-Options未配置
HTTP Strict-Transport-Security缺失文章来源:https://www.toymoban.com/news/detail-533846.html
import lombok.NonNull;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 安全漏洞全局拦截器
*
* @author lijihong
* @date 2022/07/12
*/
@Slf4j
public class SecurityBreachConfigInterceptor implements HandlerInterceptor {
/**
* 前处理
*
* @param request 请求
* @param response 响应
* @param handler 处理程序
* @return boolean
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, @NonNull Object handler) {
log.info("全局拦截器 start ...");
log.info("request请求地址path[{}] uri[{}]", request.getServletPath(),request.getRequestURI());
// 解决安全漏洞:检测到目标服务器启用了OPTIONS方法
response.setHeader("Access-Control-Allow-Origin", "*");
// Access-Control-Allow-Credentials跨域问题
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS");
response.setHeader("Access-Control-Max-Age", "86400");
response.setHeader("Access-Control-Allow-Headers", "*");
// 点击劫持:X-Frame-Options未配置
response.addHeader("X-Frame-Options","SAMEORIGIN");
// 检测到目标Referrer-Policy响应头缺失
response.addHeader("Referer-Policy","origin");
// Content-Security-Policy响应头确实
response.addHeader("Content-Security-Policy","object-src 'self'");
// 检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
response.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
// 检测到目标X-Content-Type-Options响应头缺失
response.addHeader("X-Content-Type-Options","nosniff");
// 检测到目标X-XSS-Protection响应头缺失
response.addHeader("X-XSS-Protection","1; mode=block");
// 检测到目标X-Download-Options响应头缺失
response.addHeader("X-Download-Options","noopen");
// 点击劫持:X-Frame-Options未配置
response.addHeader("X-Frame-Options","SAMEORIGIN");
// HTTP Strict-Transport-Security缺失
response.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");
// 如果是OPTIONS则结束请求
if (HttpMethod.OPTIONS.toString().equals(request.getMethod())) {
response.setStatus(HttpStatus.NO_CONTENT.value());
log.info("find options request .....");
return false;
}
log.info("全局拦截器 end ...");
return true;
}
}
使拦截器生效文章来源地址https://www.toymoban.com/news/detail-533846.html
import cn.chinaunicom.sdsi.uitl.securityBreach.SecurityBreachConfigInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class WebAppConfigurer implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
// 安全漏洞全局拦截器
registry.addInterceptor(new SecurityBreachConfigInterceptor()).addPathPatterns("/**");
}
}
到了这里,关于安全扫描出现的响应头缺失安全问题汇总的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
