X-Frame-Options Header 、 X-XSS-Protection未配置
项目中新建类:
package com.*.*.filter; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; public class ResponseHeaderFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { //必须 HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; //实际设置 //SAMEORIGIN:页面只能加载入同源域名下的页面 response.setHeader("X-Frame-Options", "SAMEORIGIN"); //1; mode=block 启用XSS保护,并在检查到XSS攻击时,停止渲染页面 response.setHeader("X-XSS-Protection", "1; mode=block"); //调用下一个过滤器 chain.doFilter(request, response); } public void init(FilterConfig config) throws ServletException { } public void destroy() { } }
web.xml中配置:
<filter> <filter-name>ResponseHeaderFilter</filter-name> <filter-class>com.*.*.filter.ResponseHeaderFilter</filter-class> </filter> <filter-mapping> <filter-name>ResponseHeaderFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
浏览器发起请求,查看请求响应头内容是否包含X-Frame-Options参数;包含则配置成功