Question

我们正在为我们的网站添加安全标头，我们正在尝试使用可用的选项。我们在httpd.conf文件下修复了Apache服务器中的安全头。

现在我们正在更新我们在tomcat上运行的网站的安全标头，我们尝试使用goolge上的选项，之后没有任何工作。

我们需要更新我们网站的以下标题，任何人都可以帮助我们。

Strict-Transport-Security 
Content-Security-Policy 
X-Frame-Options 
X-XSS-Protection 
X-Content-Type-Options

Answer 1

使用

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">

  <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
      <param-name>hstsEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>hstsMaxAgeSeconds</param-name>
      <param-value>2592000</param-value>
    </init-param>
    <init-param>
      <param-name>hstsIncludeSubDomains</param-name>
      <param-value>true</param-value>
    </init-param>      
    <init-param>
      <param-name>antiClickJackingEnabled</param-name>
      <param-value>true</param-value>
    </init-param>     
    <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
    </init-param>  
    <init-param>
      <param-name>blockContentTypeSniffingEnabled</param-name>
      <param-value>true</param-value>
    </init-param>  
    <init-param>
      <param-name>xssProtectionEnabled</param-name>
      <param-value>true</param-value>
    </init-param> 
  </filter>
 <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>/*</param-value>
  </init-param>
  <filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>  
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter>
    <filter-name>ExpiresFilter</filter-name>
    <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
    <init-param>
      <param-name>ExpiresDefault</param-name>
      <param-value>access plus 1 days</param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>ExpiresFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  
  <error-page>
    <location>/index.html</location>
  </error-page>
</web-app>

如何在Tomcat web.xml中添加标头？

1 个答案: