host头部攻击解决方案

方法一:过滤器

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest req=(HttpServletRequest) request;
		// http host头攻击漏洞校验
		HttpServletResponse res = (HttpServletResponse) response;
        String requestHost = req.getHeader("host");
        if (requestHost != null && isRightHost(requestHost)){
            res.setStatus(403);
            return;
        }
		chain.doFilter(request, response);
	}
	// http host头漏洞攻击判断
	public boolean isRightHost(String requestHost){
		if(requestHost.indexOf("www.xxx.com") == -1 && requestHost.indexOf("服务器IP") == -1) {
			return true;
		}
        return false;
    }

  方法二:nginx

if ($http_Host != '域名或ip:端口'){
return 403;
}

if ($http_Host !~*^域名或ip:端口$) {
 return 403;这里可以自定义界面 参考

}

  方法三:tomcat

Tomcat,修改server.xml文件,配置Host的name属性。

将Host里的name修改为静态的域名,如下:

 

posted @ 2021-12-06 10:22  valar-dohaeris  阅读(1770)  评论(0编辑  收藏  举报