安全扫描出现的响应头缺失安全问题汇总

admin 安全

测试抓包扫出有响应头缺失的漏洞,写了一个全局的拦截器,解决方案如下:

解决安全漏洞:检测到目标服务器启用了OPTIONS方法
点击劫持:X-Frame-Options未配置
检测到目标Referrer-Policy响应头缺失
Content-Security-Policy响应头确实
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
检测到目标X-Content-Type-Options响应头缺失
检测到目标X-XSS-Protection响应头缺失
检测到目标X-Download-Options响应头缺失
点击劫持:X-Frame-Options未配置
HTTP Strict-Transport-Security缺失

import lombok.NonNull;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


/**
 * 安全漏洞全局拦截器
 *
 * @author lijihong
 * @date 2022/07/12
 */
@Slf4j
public class SecurityBreachConfigInterceptor implements HandlerInterceptor {

    /**
     * 前处理
     *
     * @param request  请求
     * @param response 响应
     * @param handler  处理程序
     * @return boolean
     */
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, @NonNull Object handler) {
        log.info("全局拦截器 start ...");
        log.info("request请求地址path[{}] uri[{}]", request.getServletPath(),request.getRequestURI());
        // 解决安全漏洞:检测到目标服务器启用了OPTIONS方法
        response.setHeader("Access-Control-Allow-Origin", "*");
        // Access-Control-Allow-Credentials跨域问题
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS");
        response.setHeader("Access-Control-Max-Age", "86400");
        response.setHeader("Access-Control-Allow-Headers", "*");


        // 点击劫持:X-Frame-Options未配置
        response.addHeader("X-Frame-Options","SAMEORIGIN");
        // 检测到目标Referrer-Policy响应头缺失
        response.addHeader("Referer-Policy","origin");
        // Content-Security-Policy响应头确实
        response.addHeader("Content-Security-Policy","object-src 'self'");
        // 检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
        response.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
        // 检测到目标X-Content-Type-Options响应头缺失
        response.addHeader("X-Content-Type-Options","nosniff");
        // 检测到目标X-XSS-Protection响应头缺失
        response.addHeader("X-XSS-Protection","1; mode=block");
        // 检测到目标X-Download-Options响应头缺失
        response.addHeader("X-Download-Options","noopen");
        // 点击劫持:X-Frame-Options未配置
        response.addHeader("X-Frame-Options","SAMEORIGIN");
        // HTTP Strict-Transport-Security缺失
        response.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");

        // 如果是OPTIONS则结束请求
        if (HttpMethod.OPTIONS.toString().equals(request.getMethod())) {
            response.setStatus(HttpStatus.NO_CONTENT.value());
            log.info("find options request .....");
            return false;
        }
        log.info("全局拦截器 end ...");
        return true;
    }
}

使拦截器生效

import cn.chinaunicom.sdsi.uitl.securityBreach.SecurityBreachConfigInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebAppConfigurer implements WebMvcConfigurer {

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        // 安全漏洞全局拦截器
        registry.addInterceptor(new SecurityBreachConfigInterceptor()).addPathPatterns("/**");
    }
}

本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
THE END
分享
二维码
< <上一篇
下一篇>>