| | |
|---|
| | | import javax.servlet.*; |
|---|
| | | import javax.servlet.annotation.WebFilter; |
|---|
| | | import javax.servlet.http.HttpServletRequest; |
|---|
| | | import javax.servlet.http.HttpServletRequestWrapper; |
|---|
| | | import javax.servlet.http.HttpServletResponse; |
|---|
| | | import java.io.IOException; |
|---|
| | | |
|---|
| | |
|---|
| | | resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH"); |
|---|
| | | resp.setHeader("Access-Control-Allow-Credentials", "true"); |
|---|
| | | |
|---|
| | | //处理响应头缺失,信息漏洞 |
|---|
| | | resp.addHeader("X-Frame-Options","SAMEORIGIN"); |
|---|
| | | resp.addHeader("Referrer-Policy","origin"); |
|---|
| | | resp.addHeader("Content-Security-Policy","object-src 'self'"); |
|---|
| | | resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only"); |
|---|
| | | resp.addHeader("X-Content-Type-Options","nosniff"); |
|---|
| | | resp.addHeader("X-XSS-Protection","1; mode=block"); |
|---|
| | | resp.addHeader("X-Download-Options","noopen"); |
|---|
| | | resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload"); |
|---|
| | | |
|---|
| | | //单页面应用,只允许一个页面index.html |
|---|
| | | String servletPath = req.getServletPath(); |
|---|
| | | if(servletPath.contains(".html")){ |
|---|
| | | if(!servletPath.equals("/index.html") && !servletPath.equals("/doc.html") && !servletPath.equals("/mobile/index.html")){ |
|---|
| | | resp.setStatus(202); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper((HttpServletRequest)req); |
|---|
| | | if(servletPath.equals("/index.html") && req.getParameter("n") == null) { |
|---|
| | | RequestDispatcher dispatcher = wrapper.getRequestDispatcher("/"); |
|---|
| | | dispatcher.forward(request, resp); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | chain.doFilter(request, resp); |
|---|
| | | } |
|---|
| | | |
|---|
