如果有人建议我在 Tomcat 中启用 HSTS(HTTP 严格传输安全) header ,那将非常有帮助
我的 JIRA 应用程序在 tomcat 上运行,前面没有 Apache 或 NGINX。
我想为 JIRA 应用程序设置 HSTS 响应 header ,请建议如何在 Tomcat 中实现它。
提前致谢。
最佳答案
我想这就是您要找的。 我从 https://bz.apache.org/bugzilla/attachment.cgi?id=30003&action=edit 拿来的
<filter>
<filter-name>HstsFilter</filter-name>
<filter-class>org.apache.catalina.filters.HstsFilter</filter-class>
<init-param>
<param-name>maxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>includeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HstsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
package org.apache.catalina.filters;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
public class HstsFilter extends FilterBase {
private static final String HEADER_NAME = "Strict-Transport-Security";
private static final String MAX_AGE_DIRECTIVE = "max-age=%s";
private static final String INCLUDE_SUB_DOMAINS_DIRECTIVE = "includeSubDomains";
private static final Log log = LogFactory.getLog(HstsFilter.class);
// The default is "0" like recommended in section 11.2 of RFC 6797
private int maxAgeSeconds = 0;
private boolean includeSubDomains = false;
private String directives;
public void setMaxAgeSeconds(int maxAgeSeconds) {
this.maxAgeSeconds = maxAgeSeconds;
}
public void setIncludeSubDomains(boolean includeSubDomains) {
this.includeSubDomains = includeSubDomains;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(request, response);
// Note that the HSTS header must not be included in HTTP responses
// conveyed over non-secure transport
if (request.isSecure() && response instanceof HttpServletResponse) {
HttpServletResponse res = (HttpServletResponse) response;
res.addHeader(HEADER_NAME, this.directives);
}
}
@SuppressWarnings("boxing")
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
if (this.maxAgeSeconds < 0) {
throw new ServletException(sm.getString(
"hsts.invalidParameterValue", this.maxAgeSeconds,
"maxAgeSeconds"));
}
this.directives = String.format(MAX_AGE_DIRECTIVE, this.maxAgeSeconds);
if (this.includeSubDomains) {
this.directives += (" ; " + INCLUDE_SUB_DOMAINS_DIRECTIVE);
}
}
@Override
protected Log getLogger() {
return log;
}
}
检查我附加的链接上的代码。
关于tomcat - 如何在 Tomcat + JIRA 中启用 HSTS(HTTP 严格传输安全),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30940902/