| | |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | //只准使用GET,POST |
|---|
| | | String method = req.getMethod().toUpperCase(); |
|---|
| | | String profileType = YamlProperties.profileType; |
|---|
| | | if(!profileType.contains("dev") && !(method.equals("GET")||method.equals("POST"))){ |
|---|
| | | resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
|---|
| | | response.setContentType("text/html;charset=utf-8"); |
|---|
| | | response.getWriter().write("不安全的请求"); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | //处理响应头缺失,信息漏洞 |
|---|
| | | resp.addHeader("X-Frame-Options","SAMEORIGIN"); |
|---|
| | | /*resp.addHeader("X-Frame-Options","SAMEORIGIN"); |
|---|
| | | resp.addHeader("Referrer-Policy","origin"); |
|---|
| | | resp.addHeader("Content-Security-Policy","object-src 'self'"); |
|---|
| | | resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only"); |
|---|
| | | resp.addHeader("X-Content-Type-Options","nosniff"); |
|---|
| | | resp.addHeader("X-XSS-Protection","1; mode=block"); |
|---|
| | | resp.addHeader("X-Download-Options","noopen"); |
|---|
| | | resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload"); |
|---|
| | | resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");*/ |
|---|
| | | //resp.setHeader("X-Frame-Options","SAMEORIGIN"); |
|---|
| | | resp.setHeader("Referrer-Policy","origin"); |
|---|
| | | resp.setHeader("Content-Security-Policy","object-src 'self'"); |
|---|
| | | resp.setHeader("X-Permitted-Cross-Domain-Policies","master-only"); |
|---|
| | | resp.setHeader("X-Content-Type-Options","nosniff"); |
|---|
| | | resp.setHeader("X-XSS-Protection","1; mode=block"); |
|---|
| | | resp.setHeader("X-Download-Options","noopen"); |
|---|
| | | resp.setHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload"); |
|---|
| | | |
|---|
| | | |
|---|
| | | //单页面应用,只允许一个页面index.html |
|---|
| | | String servletPath = req.getServletPath(); |
|---|
