host头部攻击解决方案
方法一:过滤器
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req=(HttpServletRequest) request; // http host头攻击漏洞校验 HttpServletResponse res = (HttpServletResponse) response; String requestHost = req.getHeader("host"); if (requestHost != null && isRightHost(requestHost)){ res.setStatus(403); return; } chain.doFilter(request, response); } // http host头漏洞攻击判断 public boolean isRightHost(String requestHost){ if(requestHost.indexOf("www.xxx.com") == -1 && requestHost.indexOf("服务器IP") == -1) { return true; } return false; }
方法二:nginx
if ($http_Host != '域名或ip:端口'){
return 403;
}
或
if ($http_Host !~*^域名或ip:端口$) {
return 403;这里可以自定义界面 参考
}
方法三:tomcat
Tomcat,修改server.xml文件,配置Host的name属性。
将Host里的name修改为静态的域名,如下: