Java 如何将 X-Content-Type-Options 添加到 tomcat 配置
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24182367/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to add X-Content-Type-Options to tomcat configuration
提问by happenask
My client want me to fix Web App vulnerability of My Web App below is message about vulnerability of My Web App
我的客户要我修复 My Web App 的 Web App 漏洞 下面是关于 My Web App 漏洞的消息
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'
This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a >Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown
Anti-MIME-Sniffing 标头 X-Content-Type-Options 未设置为“nosniff”
此检查特定于 Internet Explorer 8 和 Google Chrome。如果 Content-Type 标题未知,请确保每个页面都设置一个 >Content-Type 标题和 X-CONTENT-TYPE-OPTIONS
Although I already found some solution to this issue , I am looking for solution from tomcat configuration. Is it possible to make changes to tomcat configuration to accomplish this?
虽然我已经找到了这个问题的一些解决方案,但我正在从 tomcat 配置中寻找解决方案。是否可以更改 tomcat 配置来完成此操作?
please give me any idea.
请给我任何想法。
采纳答案by potato
I think you can achieve it on Tomcat level by the following steps:
我认为您可以通过以下步骤在 Tomcat 级别上实现它:
- create your filter, package it into jar, put jar into
$CATALINA_BASE/lib/ - add filter definition into
$CATALINA_BASE/conf/web.xml
- 创建过滤器,将其打包成 jar,将 jar 放入
$CATALINA_BASE/lib/ - 将过滤器定义添加到
$CATALINA_BASE/conf/web.xml
回答by RonanOD
Sample filter class code.
示例过滤器类代码。
public class SampleResponseFilter implements Filter {
@Override
public void destroy() { }
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
// Protection against Type 1 Reflected XSS attacks
res.addHeader("X-XSS-Protection", "1; mode=block");
// Disabling browsers to perform risky mime sniffing
res.addHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(req,res);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException { }
}
回答by Ed Norris
If you're using Tomcat 8, it's really easy - add these two sections to your web.xml:
如果您使用的是 Tomcat 8,那真的很简单 - 将这两个部分添加到您的 web.xml 中:
<filter>
<filter-name>HeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HeaderSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The server response now has 'nosniff' and X-Frame-Options: DENY by default
服务器响应现在有 'nosniff' 和 X-Frame-Options: DENY 默认
More detail: Tomcat 8 Filter Configuration
更多细节:Tomcat 8 过滤器配置
回答by Vering
To supplement on the answer by Ed Noriss. If I just use a filter mappen like this
补充 Ed Noriss 的答案。如果我只是使用这样的过滤器映射
<filter-mapping>
<filter-name>HeaderSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
to target everything, there will be some unnecessary headers (x-xss-protection and X-Frame-Options) when loading media-resources such as jpg, png etc. (according to https://sonarwhal.comlinting tool).
为了定位所有内容,在加载 jpg、png 等媒体资源时会有一些不必要的标题(x-xss-protection 和 X-Frame-Options)(根据https://sonarwhal.comlinting 工具)。
In order to avoid theses I've created two filters and mappings like this:
为了避免这些问题,我创建了两个过滤器和映射,如下所示:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>httpHeaderSecurityNoX</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickHymaningEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>false</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
...
...
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>*.jsp</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>httpHeaderSecurityNoX</filter-name>
<url-pattern>*.jpg</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>httpHeaderSecurityNoX</filter-name>
<url-pattern>*.png</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
and several more filter mappings hitting httpHeaderSecurityNoX for each of these extensions: png, gif, js, css, ico (maybe it could be contained in one single url-pattern?)
以及针对这些扩展中的每一个点击 httpHeaderSecurityNoX 的更多过滤器映射:png、gif、js、css、ico(也许它可以包含在一个单一的 url 模式中?)
The init-param
初始化参数
xssProtectionEnabled
was not listed in the Tomcat web.xml comments, but found it here
未在 Tomcat web.xml 注释中列出,但在此处找到
https://vk4u.wordpress.com/2017/03/02/how-to-enable-security-filters-in-tomcat/
https://vk4u.wordpress.com/2017/03/02/how-to-enable-security-filters-in-tomcat/
