2 vulnerabilities X-Frame-Options and Cookie without Secure flag

2.1 Clickjacking: X-Frame-Options header missing
Vulnerability level: low risk
Affected site:

serial number Screenshot of the affected site
2 https://bpo.elite-club.net.cn/gmacsaic-bpo

Vulnerability Hazard:
X- is not set Frame-Options can lead to click hijacking vulnerabilities. After attackers tamper with website pages in combination with other vulnerabilities, users will request other services without knowing when they click, resulting in information leakage or other problems that are harmful to users.
Repair suggestion:
Set the X-Frame-Options parameter to SAMEORIGIN or Deny, or set the ALLOW-FROM parameter.
Action:
java code:
response.addHeader("x-frame-options","SAMEORIGIN");
Nginx configuration:
add_header X-Frame-Options SAMEORIGIN
Apache configuration:
Header always append X-Frame-Options SAMEORIGIN

2.2Cookie without Secure flag set
Vulnerability Level: Low Risk
Affected Sites:

Serial No. Screenshot
1 of Affected Sites https://bpo.elite-club.net.cn/gmacsaic-bpo


Vulnerability hazards:
The Secure value of the cookie is not set, so that its value can also be uploaded to the server under the http protocol, which may be blocked. Combined with other vulnerabilities, etc., it can cause access control to fail.
Repair suggestion:
Set the Secure value of the cookie to yes.
Action
Web.xml:
<session-config>
     <cookie-config>
       <http-only>true</http-only>
       <secure>true</secure> <!- means that the cookie must be sent using https. Note: https must be used to set this value, otherwise http will not send cookies -->
     </cookie-config>
   </session-config>