标签:clickjacking:x-frame-options header missing 漏洞解决办法
Apache配置X-Frame-Options ,httpd.conf 添加Header always append X-Frame-Options SAMEORIGIN
2.在项目里添加过滤器;
/**
* Software published by the Open Web Application Security Project (http://www.owasp.org)
* This software is licensed under the new BSD license.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created February 6, 2009
*/
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class ClickjackFilter implements Filter
{
private String mode = "DENY";
/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
HttpServletResponse res = (HttpServletResponse)response;
chain.doFilter(request, response);
System.out.println("限制mode============"+mode);
res.addHeader("X-FRAME-OPTIONS",mode );
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
System.out.println("限制mode init============"+mode);
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
<filter>
<filter-name>ClickjackFilterDeny</filter-name>
<filter-class>cn.aresoft.web.servlet.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter>
<filter-name>ClickjackFilterSameOrigin</filter-name>
<filter-class>cn.aresoft.web.servlet.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<!-- use the Deny version to prevent anyone, including yourself, from framing the page -->
<filter-mapping>
<filter-name>ClickjackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- use the SameOrigin version to allow your application to frame, but nobody else
<filter-mapping>
<filter-name>ClickjackFilterSameOrigin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
clickjacking:X-frame-options header missing 漏洞解决办法
标签:clickjacking:x-frame-options header missing 漏洞解决办法
原文地址:http://xuliangjun.blog.51cto.com/7398089/1718280