1.启用了不安全的HTTP方法:
--修改WEB应用的web.xml
--修改Tomcat的web.xml
添加以下代码:
<security-constraint>
<web-resource-collection>
<web-resource-name>fortune</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
--<security-constraint>用于限制对资源的访问;
--<auth-constraint>用于限制那些角色可以访问资源,这里设置为空就是禁止所有角色用户访问;
--<url-pattern>指定需要验证的资源
--<http-method>指定那些方法需要验证
2.X-Frame-Options Header未配置:
参考 https://blog.csdn.net/chanlingmai5374/article/details/78674815