fg重构项目
blame | 历史 | 补丁 | 提交 | 提交对比 | ignore whitespace
whyclxw
2025-05-28 e16302f9d475c7cc4dd18c5abf1a23cb5502e362 
 src/main/java/com/whyc/filter/CrossDomainFilter.java


@@ -42,20 +42,40 @@


                    resp.setHeader("Access-Control-Allow-Origin", origin);


                    resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");


                    //resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");


                    resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, PATCH");


                    //resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, PATCH");


                    resp.setHeader("Access-Control-Allow-Methods", "GET, POST");


                    resp.setHeader("Access-Control-Allow-Credentials", "true");


                }


            }


        }




        //只准使用GET,POST


        String method = req.getMethod().toUpperCase();


        String profileType = YamlProperties.profileType;


        if(!profileType.contains("dev") && !(method.equals("GET")||method.equals("POST"))){


            resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);


            response.setContentType("text/html;charset=utf-8");


            response.getWriter().write("不安全的请求");


            return;


        }


        //处理响应头缺失,信息漏洞


        resp.addHeader("X-Frame-Options","SAMEORIGIN");


        /*resp.addHeader("X-Frame-Options","SAMEORIGIN");


        resp.addHeader("Referrer-Policy","origin");


        resp.addHeader("Content-Security-Policy","object-src 'self'");


        resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only");


        resp.addHeader("X-Content-Type-Options","nosniff");


        resp.addHeader("X-XSS-Protection","1; mode=block");


        resp.addHeader("X-Download-Options","noopen");


        resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");


        resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");*/


        //resp.setHeader("X-Frame-Options","SAMEORIGIN");


        resp.setHeader("Referrer-Policy","origin");


        resp.setHeader("Content-Security-Policy","object-src 'self'");


        resp.setHeader("X-Permitted-Cross-Domain-Policies","master-only");


        resp.setHeader("X-Content-Type-Options","nosniff");


        resp.setHeader("X-XSS-Protection","1; mode=block");


        resp.setHeader("X-Download-Options","noopen");


        resp.setHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");






        //单页面应用,只允许一个页面index.html


        String servletPath = req.getServletPath();