AppScan漏洞扫描之-“X-Content-Type-Options”头缺失或不安全、“X-XSS-Protection”头缺失或不安全、跨帧脚本编制防御缺失或不安全

AppScan漏洞扫描之-“X-Content-Type-Options”头缺失或不安全、“X-XSS-Protection”头缺失或不安全、跨帧脚本编制防御缺失或不安全

由 无人久伴 提交于 2020-04-10 11:18:37

 

解决方案:

 

        tomcat的web.xml中增加:

<filter>
             <filter-name>httpHeaderSecurity</filter-name>
             <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
             <init-param>
                     <param-name>antiClickJackingOption</param-name>
                     <param-value>SAMEORIGIN</param-value>
             </init-param>
             <init-param>
                     <param-name>hstsEnabled</param-name>
                     <param-value>true</param-value>
             </init-param>                         
             <init-param>            
                     <param-name>hstsMaxAgeSeconds</param-name>                                    
                     <param-value>31536000</param-value>                                        
             </init-param>                                       
             <init-param>                          
                     <param-name>htstIncludeSubDomains</param-name>                                              
                     <param-value>true</param-value>                                                  
             </init-param>
             <async-supported>true</async-supported>
     </filter>
<filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
</filter-mapping>
posted @ 2021-06-09 11:02  caibutou  阅读(3796)  评论(0编辑  收藏  举报