Question

我正在使用Checkmarx分析我的项目，唯一剩下的中等严重性项目为Missing_HSTS_Filter，目标名称为HSTSFilter。在我的web.xml中，我有：

<filter>
    <filter-name>HSTSFilter</filter-name> <!-- checkmarx says problem is here -->
    <filter-class>c.h.i.c.web.security.HSTSFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HSTSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

HSTSFilter类：

public class HSTSFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;
        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");
        chain.doFilter(req, resp);
    }
}

所以我尝试了其他方法，因为我使用的是Tomcat 7，所以尝试在web.xml中添加以下内容：

<filter> <!-- checkmarx now complains here -->
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31622400</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Checkmarx仍然抱怨，说这次的目的地名称是StatementCollection。我不明白那是什么意思。

我想念什么？

Answer 1

奇怪的事情。您确实使用了正确的配置。根据此Checkmarx规则，在某些扫描中我发现很多误报。无论如何，尝试在过滤器配置中将此行添加到您的web.xml中：

<init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
</init-param>

<init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
</init-param>

Checkmarx报告中缺少HSTS标头

1 个答案: