1. CSRF attack
CSRF is also known as cross-domain request forgery, where attackers access trusted sites by forging user requests.
for example
The user sends a request to the bank website through the form, and the bank website makes changes to the user account after obtaining the request parameters. When the user does not log out of the bank website, he visits the attack website. There is a cross-domain access code in the attack website, which may be triggered automatically or click the submit button. The visited url is the url of the bank website to accept the form. Because they all come from the user's browser, the bank regards the request as initiated by the user, so the request is processed, and the result is that the user's bank account is modified by the attack website.
Common Solutions
Basically, it is to add some form information that cannot be obtained by attacking websites, such as adding image verification codes, which can prevent csrf attacks, but other than login and registration, other places are not suitable to put verification codes, because it reduces the usability of the website. ..
Countermeasures for spring security
a. Add a pre-filter [CsrfFilter] to the web application to verify whether the token information of csrf is included in the request to be verified. If not, the corresponding error will be included. In this way, the attacking website cannot obtain the token information, and the information submitted across the domain cannot pass the verification of the filter.
b. CsrfFilter only checks POST requests by default, and other types are spared. If you want to have csrf in the form, you must go through a filter (non-post)
c. Set csrf related attributes in the request, if not, generate a
d. There are two ways to obtain csrftoken
HttpSessionCsrfTokenRepository saves the token information in the session, and obtains it through a template or expression. This method is adopted by default.
CookieCsrfTokenRepository.withHttpOnlyFalse() is stored in cooke mode, and httponly is set to false so that the setting parameters can be obtained through jquery.
2. X-Content-Type-Options: nosniff does not specify the file type, which prevents the browser from guessing the file type
spring security countermeasures
http.headers().addHeaderWriter(new XContentTypeOptionsHeaderWriter())3. Whether X-Frame-Options allows web pages to be iFrame
public XFrameOptionsHeaderWriter(XFrameOptionsMode frameOptionsMode) {
Assert.notNull(frameOptionsMode, "frameOptionsMode cannot be null");
/* If set to allow, spring throws an exception, use FrameOptionsHeaderWriter*/
if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {
throw new IllegalArgumentException(
"ALLOW_FROM requires an AllowFromStrategy. Please use FrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy) instead");
}
this.frameOptionsMode = frameOptionsMode;
this.allowFromStrategy = null;
}
DENY does not allow web pages to be iframed SAMEORIGIN allows web pages to be iframed by the same domain name ALLOW-FROM allows any web page to iframe this web page spring Correct setting method:
http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY));4. The most important thing is that the website uses the https protocol, not the http protocol