AppScan漏洞扫描之-“X-Content-Type-Options”头缺失或不安全、“X-XSS-Protection”头缺失或不安全、跨帧脚本编制防御缺失或不安全
AppScan漏洞扫描之-“X-Content-Type-Options”头缺失或不安全、“X-XSS-Protection”头缺失或不安全、跨帧脚本编制防御缺失或不安全
解决方案:
tomcat的web.xml中增加:
<filter>
<filter-name>httpHeaderSecurityfilter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilterfilter-class>
<init-param>
<param-name>antiClickJackingOptionparam-name>
<param-value>SAMEORIGINparam-value>
init-param>
<init-param>
<param-name>hstsEnabledparam-name>
<param-value>trueparam-value>
init-param>
<init-param>
<param-name>hstsMaxAgeSecondsparam-name>
<param-value>31536000param-value>
init-param>
<init-param>
<param-name>htstIncludeSubDomainsparam-name>
<param-value>trueparam-value>
init-param>
<async-supported>trueasync-supported>
filter>
<filter-mapping>
<filter-name>httpHeaderSecurityfilter-name>
<url-pattern>/*url-pattern>
<dispatcher>REQUESTdispatcher>
filter-mapping>
原文:https://www.cnblogs.com/zrxuexi/p/14866026.html