方法一:過濾器
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest) request;
// http host頭攻擊漏洞校驗
HttpServletResponse res = (HttpServletResponse) response;
String requestHost = req.getHeader("host");
if (requestHost != null && isRightHost(requestHost)){
res.setStatus(403);
return;
}
chain.doFilter(request, response);
}
// http host頭漏洞攻擊判斷
public boolean isRightHost(String requestHost){
if(requestHost.indexOf("www.xxx.com") == -1 && requestHost.indexOf("服務器IP") == -1) {
return true;
}
return false;
}
方法二:nginx
if ($http_Host != '域名或ip:端口'){
return 403;
}
或
if ($http_Host !~*^域名或ip:端口$) {
return 403;這里可以自定義界面 參考
}
方法三:tomcat
Tomcat,修改server.xml文件,配置Host的name屬性。
將Host里的name修改為靜態的域名,如下:
