参考:
https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#exploits 章节5.2
小马哥视频: springBoot security视频
HTTP安全响应头:
1、Security Default Header
Spring Security provides a default set of security related HTTP response headers to provide secure defaults.
The default for Spring Security is to include the following headers:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains // only added on HTTPS requests X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
2、Cache-Control
Spring Security’s default is to disable caching to protect user’s content.
If a user authenticates to view sensitive information and then logs out, we don’t want a malicious user to be able to click the back button to view the sensitive information
Default Cache Control HTTP Response Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0