《ShowYou数组代码》第23题:输出一维数组各元素的和

SVM ,简述?监督学习?目标为了最小化?

  返回  

【web安全漏洞】【安全漏洞】cookie未设置Httponly属性和未设置Secure标识以及X-Frame-Options响应头_防止ifream内嵌

2021/8/21 15:51:35 浏览:

82.【web安全漏洞】【安全漏洞】cookie未设置Httponly属性和未设置Secure标识以及X-Frame-Options响应头_防止ifream内嵌

cookie未设置Httponly属性和未设置Secure标识以及X-Frame-Options响应头_防止ifream内嵌

示例 1 java端修复添加 拦截器

package cn.com.ebidding.cms.module.portal.filter;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class CookieFilter implements Filter {
    private Logger logger = LoggerFactory.getLogger(CookieFilter.class);

    public CookieFilter() {

    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse rep = (HttpServletResponse) response;
        Cookie[] cookies = req.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                String value = cookie.getValue();
                StringBuilder builder = new StringBuilder();
                builder.append(cookie.getName() + "=" + value + ";");
                builder.append("Secure;");//Cookie设置Secure标识
                builder.append("HttpOnly;");//Cookie设置HttpOnly
                rep.addHeader("Set-Cookie", builder.toString());
				//rep.addHeader("x-frame-options","SAMEORIGIN");//点击劫持,显示x-frame-options头,也可以在tomcat单独设置
            }
        }
        chain.doFilter(request, response);
    }



    public String getHost(String url) {
        String geturl = "^(.*?)(:|$)";
        Pattern pattern = Pattern.compile(geturl);
        Matcher matcher = pattern.matcher(url);
        while (matcher.find()) {
            return matcher.group(1);
        }
        return null;
    }

    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

}

示例 2 java_webapps\ROOT\WEB-INF\web修改

  <!-- cookie 设置httponly和secure -->
  <filter>
    <filter-name>cookieFilter</filter-name>
    <filter-class>cn.com.ebidding.cms.module.portal.filter.CookieFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>cookieFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

示例 3 上面服务端代码有写怎么设置 X-Frame-Options响应头、这里单独不修改代码情况下单独设置tomcat配置或者nginx等

Tomcat配置

在 ‘conf/web.xml’在</web-app>内填加以下配置
<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

示例 4设置 X-Frame-Options响应头 apache和nginx以及iis等配置办法

X-Frame-Options响应头Apache配置

需要把下面这行添加到 'site' 的配置中
	
Header always append X-Frame-Options SAMEORIGIN

 

nginx配置

需要添加到 ‘http’, ‘server’ 或者 ‘location’ 的配置项中,个人来讲喜欢配置在‘server’ 中

正常情况下都是使用SAMEORIGIN参数,允许同域嵌套
	
add_header X-Frame-Options SAMEORIGIN;

允许单个域名iframe嵌套
add_header X-Frame-Options ALLOW-FROM http://whsir.com/;

允许多个域名iframe嵌套,注意这里是用逗号分隔
	
add_header X-Frame-Options "ALLOW-FROM http://whsir.com/,https://cacti.org.cn/";

 

IIS配置

添加下面的配置到 ‘Web.config’文件中
<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>
	
<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>

 

HAProxy配置

添加下面这行到 ‘front-end, listen, or backend’配置中
rspadd X-Frame-Options:\ SAMEORIGIN

联系我们

如果您对我们的服务有兴趣,请及时和我们联系!

服务热线:18288888888
座机:18288888888
传真:
邮箱:888888@qq.com
地址:郑州市文化路红专路93号