AppScan漏洞扫描之-“X-Content-Type-Options”头缺失或不安全、“X-XSS-Protection”头缺失或不安全、跨帧脚本编制防御缺失或不安全

AppScan漏洞扫描之-“X-Content-Type-Options”头缺失或不安全、“X-XSS-Protection”头缺失或不安全、跨帧脚本编制防御缺失或不安全

由 无人久伴 提交于 2020-04-10 11:18:37

解决方案：

        tomcat的web.xml中增加：

<filter>
             <filter-name>httpHeaderSecurity</filter-name>
             <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
             <init-param>
                     <param-name>antiClickJackingOption</param-name>
                     <param-value>SAMEORIGIN</param-value>
             </init-param>
             <init-param>
                     <param-name>hstsEnabled</param-name>
                     <param-value>true</param-value>
             </init-param>                         
             <init-param>            
                     <param-name>hstsMaxAgeSeconds</param-name>                                    
                     <param-value>31536000</param-value>                                        
             </init-param>                                       
             <init-param>                          
                     <param-name>htstIncludeSubDomains</param-name>                                              
                     <param-value>true</param-value>                                                  
             </init-param>
             <async-supported>true</async-supported>
     </filter>
<filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
</filter-mapping>