X-Content-Type-Option
Missing target response header detected
X-Content-Type-Options
The HTTP message header is equivalent to a prompt flag, which is used by the server to prompt the client to followContent-Type
the setting of the MIME type in the header and not to modify it. This disables client-side MIME type sniffing. In other words, it means that the website administrator is sure that their settings are correct.
solution
This type of problem actually prevents browsers from sniffing MIME. When the MIME type is missing, the browser will sniff the MIME by viewing the resource, and this operation may involve security issues. So we should try our best to set the MIME type and then disable MIME sniffing.
- Set response header
- Add
X-Content-Type-Options
a field and set the value tonosniff
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.addHeader("X-Content-Type-Options","nosniff");
filterChain.doFilter(request,response);
}
X-XSS-Protection
Missing target response header detected
HTTP
X-XSS-Protection
response headers are a feature of Internet Explorer, Chrome and Safari that cause the browser to stop loading the page when a cross-site scripting attack (XSS) is detected
solution
XSS attack defense actually involves modifications in many aspects, which we will not go into details here.
- We can first do basic defense by enabling XSS filtering.
- Configuration instructions
0
:Disable XSS1
:Start XSS;mode = block
: When an attack is detected, the browser will block the rendering of the page instead of filtering the XSS content in the page;report=<reporting-url>
: Chrome only, after detecting an attack, the behavior will be reported to the specified service.
- Configuration instructions
- Set response header
- Add
X-XSS-Protection
a field and set it to1;mode=block
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.addHeader("X-XSS-Protection","1;mode=block");
filterChain.doFilter(request,response);
}
Content-Security-Policy
Target response header detected
HTTP response headers
Content-Security-Policy
allow site administrators to control which resources the user agent can load for a given page. With few exceptions, the policies set primarily involve specifying the server's source and script endpoints
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.addHeader("Content-Security-Policy","default-src 'self");
filterChain.doFilter(request,response);
}
An HTTP host header attack vulnerability was detected in the target URL.
In order to easily obtain website domain names, developers generally rely on
HTTP Host header
. However, this header is not trustworthy. If the application does nothost header
process the value, it may cause the code to be passed in.
solution
This is managed for the host of the WEB project, and the accessible domain names are specified by setting a whitelist.
- Set up an interceptor and obtain the host field of the message header
- Configure interceptor whitelist
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String host = response.getHeader("host");
if(!checkBlankList(host)){
response.setStatus(HttpStatus.FORBIDDEN.value());
return;
}
filterChain.doFilter(request,response);
}
private boolean checkBlankList(String host){
String reg = "localhost|127.0.0.1|0.0.0.0";
return Pattern.compile(reg).matcher(url).find();
}
It was detected that the target URL has an insecure HTTP method enabled.
It is detected that the target WEB server is configured to allow one (or more ) of the following HTTP methods:
DELETE
,SEARCH
,COPY
,MOVE
,PROPFIND
,PROPPATCH
,MKCOL
,LOCK
.UNLOCK
These methods indicate that WebDAV may be used on the server. Since the dav method allows the client to manipulate files on the server, if dav is not properly configured, it may allow unauthorized users to exploit it and modify files on the server.
solution
Configure the request methods that can be received. Generally POST
, GET
two methods are enough. If there are other requirements, add them.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
if(!isAllowMethod(request)){
response.setStatus(HttpStatus.NOT\_FOUND.value());
return;
}
filterChain.doFilter(request,response);
}
private boolean isAllowMethod(HttpServletRequest request){
boolean isAllow = false;
String method = request.getMethod();
if(HttpMethod.GET.toString().equals(method)|| HttpMethod.POST.toString().equals(method)){
isAllow = true;
}
return isAllow;
}
A possible slow HTTP denial of service attack on the target host has been detected
A slow HTTP denial-of-service attack is an application-layer denial-of-service attack specifically targeting the Web. The attacker manipulates the broiler on the network and attacks the target Web server with massive HTTP requests until the server bandwidth is full, causing a denial of service.
solution
Such problems are generally solved in two directions:
- Specifies the number of concurrent connections requested
- Set request timeout
server.connection-timeout= 5000
server.tomcat.max-connections = 10000
Clickjacking: X-Frame-Options not configured
Clickjacking is a form of visual deception. The attacker uses a transparent, invisible iframe to cover a web page, and then induces the user to perform operations on the web page. At this time, the user will click on the transparent iframe page without knowing it. By adjusting the position of the iframe page, users can be induced to click on some functional buttons of the iframe page.
- Add
X-Frame-Options
response headerDENY
: cannot be embeddedSAMEORIGIN
: Can only be embedded in this siteALLOW-FROM
:Specify sites that can be embedded
- set up
response响应头
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
//response.addHeader("X-frame-options","DENY");
//response.addHeader("X-frame-options","SAMEORIGIN");
response.addHeader("X-frame-options","ALLOW-FROM 'http://localhost:9080'");
filterChain.doFilter(request,response);
}