如何将X-Content-Type-Options添加到tomcat配置中

时间:2014-06-12 10:41:02

标签: java security tomcat mime-types httpresponse

我的客户希望我修复My Web App的Web App漏洞  下面是关于My Web App漏洞的消息

  

Anti-MIME-Sniffing标头X-Content-Type-Options未设置为'nosniff'

     

此检查特定于Internet Explorer 8和Google Chrome。如果Content-Type标头未知,请确保每个页面设置> Content-Type标头和X-CONTENT-TYPE-OPTIONS

虽然我已经找到了解决此问题的方法,但我正在寻找tomcat配置的解决方案。 是否可以对tomcat配置进行更改以实现此目的?

请给我任何想法。

4 个答案:

答案 0 :(得分:10)

如果你正在使用Tomcat 8,那很容易 - 将这两个部分添加到你的web.xml:

<filter>
    <filter-name>HeaderSecurityFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HeaderSecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

服务器响应现在有'nosniff'和X-Frame-Options:默认为DENY

N3672

更多细节:Server response

答案 1 :(得分:6)

我认为你可以通过以下步骤在Tomcat级别实现它:

  • 创建过滤器,将其打包到jar中,将jar放入$CATALINA_BASE/lib/
  • 将过滤器定义添加到$CATALINA_BASE/conf/web.xml

答案 2 :(得分:5)

示例过滤器类代码。

public class SampleResponseFilter implements Filter  {

  @Override
  public void destroy() { }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException
  {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;
    // Protection against Type 1 Reflected XSS attacks
    res.addHeader("X-XSS-Protection", "1; mode=block");
    // Disabling browsers to perform risky mime sniffing
    res.addHeader("X-Content-Type-Options", "nosniff");
    chain.doFilter(req,res);
  }

  @Override
  public void init(FilterConfig filterConfig) throws ServletException { }
}

答案 3 :(得分:2)

补充Ed Noriss的答案。如果我只是使用像这样的过滤器mappen 

    <filter-mapping>
        <filter-name>HeaderSecurityFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

要定位所有内容,在加载媒体资源(如jpg,png等)时会有一些不必要的标题(x-xss-protection和X-Frame-Options)(根据https://sonarwhal.com linting工具)。

为了避免这些,我创建了两个这样的过滤器和映射:

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

<filter>
    <filter-name>httpHeaderSecurityNoX</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
        <param-name>antiClickJackingEnabled</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>xssProtectionEnabled</param-name>
        <param-value>false</param-value>
    </init-param>

    <async-supported>true</async-supported>
</filter>

... 

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>*.jsp</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

<filter-mapping>
    <filter-name>httpHeaderSecurityNoX</filter-name>
    <url-pattern>*.jpg</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

<filter-mapping>
    <filter-name>httpHeaderSecurityNoX</filter-name>
    <url-pattern>*.png</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

还有几个过滤器映射为每个扩展命中httpheaderSecurityNoX:png,gif,js,css,ico(也许它可以包含在一个单独的url模式中?)

init-param 

xssProtectionEnabled

未在Tomcat web.xml注释中列出,但在此处找到了

https://vk4u.wordpress.com/2017/03/02/how-to-enable-security-filters-in-tomcat/

相关问题
最新问题