我正在尝试使用httpd.conf文件在JBoss环境中添加响应头内容安全策略,但是,我无法在应用程序中找到任何更改。我尝试使用以下代码设置标头:
Header set Content-Security-Policy "default-src 'self';"
add_header Content-Security-Policy "default-src 'self';";
答案 0 :(得分:0)
如果您正在处理来自servlet的请求,则使用适当的方法将标头添加到响应对象(即doGet,doPost ...)。
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
response.setHeader("Content-Security-Policy", "default-src 'self';");
// ...
}
如果您正在使用JSF,请创建一个过滤器并在您的web.xml文件中配置它
public class SecurityFilter implements javax.servlet.Filter
{
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
throws IOException, ServletException
{
HttpServletResponse httpRes = (HttpServletResponse) response;
httpRes.setHeader("Content-Security-Policy", "default-src 'self';");
// Continue the chain.
chain.doFilter(request, response);
}
}
要添加到web.xml的示例条目
<filter>
<filter-name>SecurityFilter </filter-name>
<filter-class>com.blah.blah.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<servlet-name>FacesServlet</servlet-name>
</filter-mapping>