方法一:过滤器
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest) request;
// http host头攻击漏洞校验
HttpServletResponse res = (HttpServletResponse) response;
String requestHost = req.getHeader("host");
if (requestHost != null && isRightHost(requestHost)){
res.setStatus(403);
return;
}
chain.doFilter(request, response);
}
// http host头漏洞攻击判断
public boolean isRightHost(String requestHost){
if(requestHost.indexOf("www.xxx.com") == -1 && requestHost.indexOf("服务器IP") == -1) {
return true;
}
return false;
}
方法二:nginx
if ($http_Host != '域名或ip:端口'){
return 403;
}
或
if ($http_Host !~*^域名或ip:端口$) {
return 403;这里可以自定义界面 参考
}
方法三:tomcat
Tomcat,修改server.xml文件,配置Host的name属性。
将Host里的name修改为静态的域名,如下:
