未将Anti-MIME-Sniffing标头X-Content-Type-Options设置为'nosniff'。
这允许较旧版本的Internet Explorer和Chrome在响应正文上执行MIME嗅探,从而有可能导致响应正文被解释和显示为声明的内容类型以外的其他内容类型。 Firefox的当前版本(2014年初)和旧版本将使用声明的内容类型(如果已设置),而不是执行MIME嗅探。
答案 0 :(得分:0)
在构建(build.gradle)中包含spring安全性
编译组:“ org.springframework.boot”,名称:“ spring-boot-starter-security”,版本:“ 2.1.4.RELEASE”
或pom.xml。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.1.2.RELEASE</version>
</dependency>
添加以下Java代码。
导入org.springframework.security.config.annotation.web.builders.HttpSecurity;
导入org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
导入org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
之前:
Content-Type →application/json;charset=UTF-8
Date →Wed, 15 May 2019 19:05:00 GMT
X-Auth-Token →5178dc4e-eac5-40be-9ded-dcfa85c644b6
X-B3-Spanid →3d9a5b2fd21b075c
X-B3-Traceid →3d9a5b2fd21b075c
X-Vcap-Request-Id →4988b251-c2c5-4c5f-558b-ed6bce724e1f
Content-Length →992
之后:
X-B3-TraceId →51e54c950ae24fa1
X-B3-SpanId →51e54c950ae24fa1
X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
x-auth-token →92195048-341d-48a7-93a6-f6f0446f3f0c
Content-Type →application/json;charset=UTF-8
Transfer-Encoding →chunked
Date →Fri, 17 May 2019 15:50:59 GMT