【SpringBoot】安全漏洞处理
对漏扫结果修复后,胡乱记一些
一、容器
@Configuration public class TomcatContainerConfig { @Bean public ConfigurableServletWebServerFactory servletContainer() { TomcatServletWebServerFactory tomcatServletContainerFactory = new TomcatServletWebServerFactory() { @Override protected void postProcessContext(Context context) { SecurityConstraint constraint = new SecurityConstraint(); constraint.setUserConstraint("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection(); collection.addPattern("/*"); collection.addMethod("HEAD"); collection.addMethod("PUT"); collection.addMethod("PATCH"); collection.addMethod("DELETE"); collection.addMethod("OPTIONS"); collection.addMethod("TRACE"); collection.addMethod("COPY"); collection.addMethod("SEARCH"); collection.addMethod("PROPFIND"); constraint.addCollection(collection); context.addConstraint(constraint); } }; return tomcatServletContainerFactory; } }
二、请求
引入 Spring-Security组件
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
代码中增加配置
@Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/actuator").denyAll() .antMatchers("/actuator/**").denyAll() .antMatchers("/**").permitAll(); http.csrf().disable(); http.headers().frameOptions().sameOrigin(); http.headers().referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN); http.headers().contentSecurityPolicy("default-src 'self'"); http.headers().xssProtection(); http.headers().contentTypeOptions(); http.headers().addHeaderWriter(new StaticHeadersWriter("X-Download-Options","noopen")); http.headers().addHeaderWriter(new StaticHeadersWriter("X-Permitted-Cross-Domain-Policies","by-ftp-filename")); } }
