我正在使用 JBoss EAP 7 ,并且我需要添加X-Content-Type-Options=nosniff标头作为服务器加固的一部分。
添加标题并chrome过滤掉文件后,缺少用于目录列表的 html,js(/?js)和css(?css)的内容类型标题,我们正在使用Undertow目录列出了。
有什么方法可以将文件的内容类型标头设置回去,以使Chrome不会将其过滤掉吗?
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="strict-transport-security"/>
<filter-ref name="x-Content-type-options"/>
</host>
</server>
<servlet-container name="default" default-encoding="UTF-8" directory-listing="true">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" directory-listing="true" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
<response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
</filters>
</subsystem>
添加了X-Content-Type-Options
HTTP/1.1 200 OK
Date: Wed, 02 Jan 2019 05:42:59 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 7109
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive