我们正在为我们的网站添加安全 header ,我们正在尝试使用可用的选项。我们在 httpd.conf 文件下修复了 Apache 服务器中的安全 header 。
现在我们正在更新我们在 tomcat 上运行的网站的安全 header ,我们在网上冲浪后尝试使用 goolge 上可用的选项无效。
我们需要更新我们网站的以下 header ,任何人都可以帮助我们解决这个问题。
Strict-Transport-Security
Content-Security-Policy
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
最佳答案
使用
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>2592000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>/*</param-value>
</init-param>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>ExpiresFilter</filter-name>
<filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
<init-param>
<param-name>ExpiresDefault</param-name>
<param-value>access plus 1 days</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ExpiresFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<error-page>
<location>/index.html</location>
</error-page>
</web-app>
关于tomcat - 如何在 Tomcat web.xml 中添加 header ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43898029/