Java Apache Tomcat 8.5.9中未设置X-Frame-Options标头
我正在使用ApacheTomcat8.5.9服务器,用于带有struts2、spring和spring安全性的Java Web应用程序。在使用“zap2.7.0安全扫描工具”进行安全测试时,我在web应用程序的扫描报告中发现以下错误Java Apache Tomcat 8.5.9中未设置X-Frame-Options标头,java,apache,security,tomcat,httpresponse,Java,Apache,Security,Tomcat,Httpresponse,我正在使用ApacheTomcat8.5.9服务器,用于带有struts2、spring和spring安全性的Java Web应用程序。在使用“zap2.7.0安全扫描工具”进行安全测试时,我在web应用程序的扫描报告中发现以下错误 未设置X帧选项标题 未启用Web浏览器XSS保护 缺少X-Content-Type-Options标题 为此,我在Apache Tomcat 8.5.9服务器的conf文件夹中的web.xml文件中使用了以下代码 <filter> <fil
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
真的
防舔
真的
防舔吸
萨米奥里金
xssProtectionEnabled
真的
blockContentTypeSniffingEnabled
真的
httpHeaderSecurity
/*
要求
即使在使用上述代码后,错误也不会得到修复。但当我尝试在ApacheTomcat7.0.5中使用上述代码时,它运行良好
谁能告诉我在ApacheTomcat8.5.9服务器中缺少了什么 我想在
中显示pdf时遇到了一个问题。是我干的
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/resources/**").addResourceLocations("/resources/");
registry.addResourceHandler("/jspf/**").addResourceLocations("/jspf/");
// registry.addResourceHandler("/Portafolios/**").addResourceLocations("/Portafolios/");
registry.addResourceHandler("/portafolio/**")
.addResourceLocations("file:"+System.getProperty("user.home")+"/Documents/PPP/")
.setCacheControl(CacheControl.maxAge(2, TimeUnit.HOURS).cachePublic());
super.addResourceHandlers(registry);
}
我把我的PDF文件放在portafolio目录中。我还修改了ApacheTomcat的web.xml
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
您可能有web.xml,但我认为您缺少修改configure()方法。你可以查看
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.headers()
.frameOptions()
.sameOrigin()
.contentSecurityPolicy("frame-ancestors 'self'").and()
.and()
.....
other things
.....
}