X-Frame-Options Header 、 X-XSS-Protection未配置

项目中新建类：

package com.*.*.filter;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class ResponseHeaderFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        //必须
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        //实际设置 
        //SAMEORIGIN：页面只能加载入同源域名下的页面
        response.setHeader("X-Frame-Options", "SAMEORIGIN");
　　　　 //1; mode=block 启用XSS保护，并在检查到XSS攻击时，停止渲染页面
        response.setHeader("X-XSS-Protection", "1; mode=block");
        //调用下一个过滤器
        chain.doFilter(request, response);
    }
    public void init(FilterConfig config) throws ServletException {
    }
    public void destroy() {
    }
}

 

web.xml中配置：

<filter>
    <filter-name>ResponseHeaderFilter</filter-name>
    <filter-class>com.*.*.filter.ResponseHeaderFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>ResponseHeaderFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

浏览器发起请求，查看请求响应头内容是否包含X-Frame-Options参数；包含则配置成功