| | |
|---|
| | | HttpServletResponse resp= (HttpServletResponse) response; |
|---|
| | | HttpServletRequest req= (HttpServletRequest) request; |
|---|
| | | String origin = req.getHeader("Origin"); |
|---|
| | | if(StringUtils.isNotBlank(origin)) { //没有origin来源,不允许跨域设置 |
|---|
| | | /*if(StringUtils.isNotBlank(origin)) { //没有origin来源,不允许跨域设置 |
|---|
| | | String allowedCORSDomainList = YamlProperties.allowedCORSDomainList; |
|---|
| | | List<String> allowedList = new LinkedList<>(); |
|---|
| | | if (!allowedCORSDomainList.equals("")) { //存在跨域白名单,判断,设置 |
|---|
| | |
|---|
| | | resp.setHeader("Access-Control-Allow-Credentials", "true"); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | }*/ |
|---|
| | | resp.setHeader("Access-Control-Allow-Origin", "*"); |
|---|
| | | resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token"); |
|---|
| | | resp.setHeader("Access-Control-Allow-Methods", "GET, POST"); |
|---|
| | | resp.setHeader("Access-Control-Allow-Credentials", "true"); |
|---|
| | | //只准使用GET,POST |
|---|
| | | String method = req.getMethod().toUpperCase(); |
|---|
| | | /* String method = req.getMethod().toUpperCase(); |
|---|
| | | String profileType = YamlProperties.profileType; |
|---|
| | | if(!profileType.contains("dev") && !(method.equals("GET")||method.equals("POST"))){ |
|---|
| | | resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
|---|
| | | response.setContentType("text/html;charset=utf-8"); |
|---|
| | | response.getWriter().write("不安全的请求"); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | }*/ |
|---|
| | | //处理响应头缺失,信息漏洞 |
|---|
| | | /*resp.addHeader("X-Frame-Options","SAMEORIGIN"); |
|---|
| | | resp.addHeader("Referrer-Policy","origin"); |
|---|
