修改 tomcat-home/conf/web.xml (對所有apps生效):
HeaderSecurityFilter org.apache.catalina.filters.HttpHeaderSecurityFilter hstsEnabled true hstsMaxAgeSeconds 15768000 hstsIncludeSubDomains true antiClickJackingEnabled true antiClickJackingOption SAMEORIGIN antiClickJackingUri blockContentTypeSniffingEnabled true xssProtectionEnabled true CorsFilter org.apache.catalina.filters.CorsFilter cors.allowed.origins https://your.domain.com HeaderSecurityFilter /* REQUEST FORWARD INCLUDE ERROR ASYNC CorsFilter /* REQUEST FORWARD INCLUDE ERROR ASYNC
ref:
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter
https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
HTTP Headers 的資安議題 (1)
HTTP Headers 的資安議題 (2)
HTTP Headers 的資安議題 (3)