Step1 配置Tomcat
step1.1 查看是否已配置目標的HTTP網絡安全頭
- 方式1 – Tomcat / conf/web.xml
cat /opt/myTomcat/conf/web.xml | grep --color=auto -C 10 -i "httpHeaderSecurity"
- 方式2 查看Tomcat的任一Web HTTP網頁/請求
step1.2 確認Tomcat服務器中(catalina.jar)是否存在HttpHeaderSecurityFilter類
[root@hostName testUser]# jar -tf /opt/myTomcat/lib/catalina.jar | grep -i "HttpHeaderSecurityFilter"
org/apache/catalina/filters/HttpHeaderSecurityFilter$XFrameOption.class
org/apache/catalina/filters/HttpHeaderSecurityFilter.class
step1.3 利用HttpHeaderSecurityFilter為Tomcat配置全局的HTTP安全響應頭
注:配置后,Tomcat會自動加載新的配置,故 無需重啟Tomcat
vi /opt/myTomcat/conf/web.xml
(文件內加入如下配置)
- SAMEORIGIN 版配置
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name> <!-- X-Frame-Options 默認(DENY) -->
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name> <!-- X-Frame-Options 默認(DENY) - org.apache.catalina.filters.HttpHeaderSecurityFilter 的內部枚舉類 enum XFrameOption { DENY("DENY"),SAME_ORIGIN("SAMEORIGIN"),ALLOW_FROM("ALLOW-FROM"); } -->
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name> <!-- X-Content-Type-Options 默認: true(nosniff) -->
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name> <!-- X-XSS-Protection 默認: true(1; mode=block) -->
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
- ALLOW-FROM 版
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name> <!-- X-Frame-Options 默認(DENY) -->
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<!-- X-Frame-Options 默認(DENY) -
org.apache.catalina.filters.HttpHeaderSecurityFilter 的內部枚舉類 enum XFrameOption { DENY("DENY"),SAME_ORIGIN("SAMEORIGIN"),ALLOW_FROM("ALLOW-FROM"); } -->
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<!-- <param-value>http://10.xx.yy.148:18460</param-value> -->
<param-value>[http://10.xx.yy.148:18460][http://10.xx.yy.149:8085]</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
【備注】
配置http的響應頭信息:屬性名 X-Frame-Options / X-XSS-Protection / X-Content-Options
- https://blog.csdn.net/liangpingguo/article/details/86703284
- https://blog.csdn.net/li_wen_jin/article/details/88353763
1.此配置將即時生效,Tomcat會實時加載,故 配置完成后,無需重啟
Step2 配置Nginx
step2.1 配置Nginx的HTTP安全頭
# vi /usr/local/nginx/conf/nginx.conf
在http(或server)模塊內添加如下內容:
add_header X-Frame-Options "SAMEORIGIN"; #或 add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff"; # 禁止嗅探文件類型
step2.2 添加后,重載nginx配置
注:重載(reload)操作不會使Nginx停止服務。
# /usr/local/nginx/sbin/nginx -s reload
Step3 驗證配置是否生效
(驗證方式同step1.1)
4 header配置詳解
此3個header配置可避免以下3種(低危)安全漏洞:
- [低危]HTTP響應頭 X-Content-Options:nosniff
- [低危]HTTP響應頭使用 X-XSS-Protection
- [低危]HTTP響應頭使用 X-Frame-Options
4-1 X-Content-Options
遠程網絡應用程序不設置X-Content-Options響應頭。
X-Content-Options是Microsoft提出的一種緩解MIME類型攻擊的方式,並且已經在Chrome和Safari中實現。
X-Content-Type-Options的瀏覽器兼容性
4-2 X-Frame-Options
可以配置的參數值有3個:
1.DENY:瀏覽器拒絕當前頁面加載任何Frame頁面。 [Tomcat中org.apache.catalina.filters.HttpHeaderSecurityFilter(catalina.jar)的默認值]
2.SAMEORIGIN:頁面只能加載入同源域名下的頁面。[一般配置此值即可]
3.ALLOW-FROM uri:只能被嵌入到指定域名的框架中。
5 補充問題
(現暫時沒空)
- X-Frame-Options / X-XSS-Protection / X-Content-Options 三者的配置的值的意義
- 3個header涉及的安全漏洞
- 講解 org.apache.catalina.filters.HttpHeaderSecurityFilter 源碼
org.apache.catalina.filters.HttpHeaderSecurityFilter
[來源]
Tomcat(任何版本): /lib/catalina.jar:org.apache.catalina.filters.HttpHeaderSecurityFilter.class
Tomcat(source版): /java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
[重要的內置屬性]
private static final String HSTS_HEADER_NAME = "Strict-Transport-Security"; //HSTS ,嚴格的傳輸安全
private static final String ANTI_CLICK_JACKING_HEADER_NAME = "X-Frame-Options"; //Click-jacking protection ,拒絕 frame
private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME = "X-Content-Type-Options"; //Block content sniffing ,阻止內容嗅探
private static final String XSS_PROTECTION_HEADER_NAME = "X-XSS-Protection"; //Cross-site scripting filter protection , 跨站腳本過濾器保護
- 3個header的瀏覽器兼容性
- Java Web中 配置header的其它方法?
可參見該博文: Tomcat 配置“X-Frame-Options頭” - CSDN