测试抓包扫出有响应头缺失的漏洞,写了一个全局的拦截器,解决方案如下:
解决安全漏洞:检测到目标服务器启用了OPTIONS方法
点击劫持:X-Frame-Options未配置
检测到目标Referrer-Policy响应头缺失
Content-Security-Policy响应头确实
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
检测到目标X-Content-Type-Options响应头缺失
检测到目标X-XSS-Protection响应头缺失
检测到目标X-Download-Options响应头缺失
点击劫持:X-Frame-Options未配置
HTTP Strict-Transport-Security缺失
importlombok.NonNull;importlombok.extern.slf4j.Slf4j;importorg.springframework.http.HttpMethod;importorg.springframework.http.HttpStatus;importorg.springframework.web.servlet.HandlerInterceptor;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;/**
* 安全漏洞全局拦截器
*
* @author lijihong
* @date 2022/07/12
*/@Slf4jpublicclassSecurityBreachConfigInterceptorimplementsHandlerInterceptor{/**
* 前处理
*
* @param request 请求
* @param response 响应
* @param handler 处理程序
* @return boolean
*/@OverridepublicbooleanpreHandle(HttpServletRequest request,HttpServletResponse response,@NonNullObject handler){
log.info("全局拦截器 start ...");
log.info("request请求地址path[{}] uri[{}]", request.getServletPath(),request.getRequestURI());// 解决安全漏洞:检测到目标服务器启用了OPTIONS方法
response.setHeader("Access-Control-Allow-Origin","*");// Access-Control-Allow-Credentials跨域问题
response.setHeader("Access-Control-Allow-Credentials","true");
response.setHeader("Access-Control-Allow-Methods","GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS");
response.setHeader("Access-Control-Max-Age","86400");
response.setHeader("Access-Control-Allow-Headers","*");// 点击劫持:X-Frame-Options未配置
response.addHeader("X-Frame-Options","SAMEORIGIN");// 检测到目标Referrer-Policy响应头缺失
response.addHeader("Referer-Policy","origin");// Content-Security-Policy响应头确实
response.addHeader("Content-Security-Policy","object-src 'self'");// 检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
response.addHeader("X-Permitted-Cross-Domain-Policies","master-only");// 检测到目标X-Content-Type-Options响应头缺失
response.addHeader("X-Content-Type-Options","nosniff");// 检测到目标X-XSS-Protection响应头缺失
response.addHeader("X-XSS-Protection","1; mode=block");// 检测到目标X-Download-Options响应头缺失
response.addHeader("X-Download-Options","noopen");// 点击劫持:X-Frame-Options未配置
response.addHeader("X-Frame-Options","SAMEORIGIN");// HTTP Strict-Transport-Security缺失
response.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");// 如果是OPTIONS则结束请求if(HttpMethod.OPTIONS.toString().equals(request.getMethod())){
response.setStatus(HttpStatus.NO_CONTENT.value());
log.info("find options request .....");returnfalse;}
log.info("全局拦截器 end ...");returntrue;}}
使拦截器生效
importcn.chinaunicom.sdsi.uitl.securityBreach.SecurityBreachConfigInterceptor;importorg.springframework.context.annotation.Configuration;importorg.springframework.web.servlet.config.annotation.InterceptorRegistry;importorg.springframework.web.servlet.config.annotation.WebMvcConfigurer;@ConfigurationpublicclassWebAppConfigurerimplementsWebMvcConfigurer{@OverridepublicvoidaddInterceptors(InterceptorRegistry registry){// 安全漏洞全局拦截器
registry.addInterceptor(newSecurityBreachConfigInterceptor()).addPathPatterns("/**");}}
本文转载自: https://blog.csdn.net/ashaomeng/article/details/125735526
版权归原作者 次日清晨. 所有, 如有侵权,请联系我们删除。
版权归原作者 次日清晨. 所有, 如有侵权,请联系我们删除。