【问题标题】:How do I add headers in Tomcat web.xml?如何在 Tomcat web.xml 中添加标头?
【发布时间】:2017-05-10 16:24:39
【问题描述】:

我们正在为我们的网站添加安全标头,并且正在尝试使用可用的选项。我们已经修复了 Apache 服务器中 httpd.conf 文件下的安全标头。

现在我们正在更新我们在 tomcat 上运行的网站的安全标头,我们在网上冲浪后尝试使用 goolge 上可用的选项。

我们需要更新我们网站的以下标题,任何人都可以帮助我们。

Strict-Transport-Security 
Content-Security-Policy 
X-Frame-Options 
X-XSS-Protection 
X-Content-Type-Options

【问题讨论】:

    标签: tomcat


    【解决方案1】:

    使用

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
             version="3.1">
    
      <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
          <param-name>hstsEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>2592000</param-value>
        </init-param>
        <init-param>
          <param-name>hstsIncludeSubDomains</param-name>
          <param-value>true</param-value>
        </init-param>      
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>     
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>SAMEORIGIN</param-value>
        </init-param>  
        <init-param>
          <param-name>blockContentTypeSniffingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>  
        <init-param>
          <param-name>xssProtectionEnabled</param-name>
          <param-value>true</param-value>
        </init-param> 
      </filter>
     <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>/*</param-value>
      </init-param>
      <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>  
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter>
        <filter-name>ExpiresFilter</filter-name>
        <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
        <init-param>
          <param-name>ExpiresDefault</param-name>
          <param-value>access plus 1 days</param-value>
        </init-param>
      </filter>
    
      <filter-mapping>
        <filter-name>ExpiresFilter</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      
      <error-page>
        <location>/index.html</location>
      </error-page>
    </web-app>

    【讨论】:

    • 这似乎没有启用Content-Security-Policy 标头?
    猜你喜欢
    • 2014-05-23
    • 2021-12-24
    • 2018-07-22
    • 2011-06-24
    • 2017-04-30
    • 2018-05-05
    • 2019-02-16
    • 2015-08-30
    • 2020-03-09
    相关资源
    最近更新 更多