Loading

SpringBoot 2.X定义全局cookie属性

对于最近项目安全扫描,存在关于Cookie的安全漏洞,如下图:
image
其中HTTP请求响应报文:

Content-Security-Policy: frame-ancestors 'self';
Set-Cookie: SDSESSIONID=OWQ3YTQ5MWEtY2NiMy00MjRkLWFhZTktYjA3ODBjZWY2YmFm; Path=/; HttpOnly; SameSite=Lax

这里需要补充Secure属性、设置HttpOnly、SameSite等调整
引入依赖:

<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-data-redis</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-core</artifactId>
</dependency>

添加全局配置:

@Configuration
public class SpringSessionConfiguration {
    @Value("$server.servlet.session.cookie.name")
    private String cookieName;

    @Bean
    public CookieSerializer cookieSerializer() {
        DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
        cookieSerializer.setCookieName(cookieName);
        cookieSerializer.setUseSecureCookie(true);
        cookieSerializer.setUseHttpOnlyCookie(true);
        cookieSerializer.setSameSite("Strict");
        return cookieSerializer;
    }
}

之后,修复之后,重新请求接口,响应报文变化为:

....
set-cookie: SDSESSIONID=NzcyMDExYjYtNmE3Yy00NzliLWExYTUtN2NjMjQ1NDRjODA3; Path=/; Secure; HttpOnly; SameSite=Strict
....
posted @   集君  阅读(138)  评论(0编辑  收藏  举报
(评论功能已被禁用)
相关博文:
· 华为鲲鹏ARM部署云原生环境
· ELK介绍与Spring Boot集成使用
· springboot cookie增加SameSite=None;Secure属性
· SpringBoot的Cookie sameSite之坑
· SpringBoot整合SpringSecurity. ----第一波 (了解咋用)
阅读排行:
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· SQL Server 2025 AI相关能力初探
· AI编程工具终极对决:字节Trae VS Cursor,谁才是开发者新宠?
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
点击右上角即可分享
微信分享提示
AI IDE Trae