2017-03-31

TOMCAT的安全性header設定

TOMCAT有內建一些關於CORS及SECURITY的HEADER, 可以的話建議打開,以利用瀏覽器所提供的安全性功能,以下是個人常用的預設設定:

修改 tomcat-home/conf/web.xml (對所有apps生效):

    HeaderSecurityFilter
    org.apache.catalina.filters.HttpHeaderSecurityFilter
    
      hstsEnabledtrue
    
      hstsMaxAgeSeconds15768000
    
      hstsIncludeSubDomainstrue
    
      antiClickJackingEnabledtrue
    
      antiClickJackingOptionSAMEORIGIN
    
      antiClickJackingUri
    
      blockContentTypeSniffingEnabledtrue
    
      xssProtectionEnabledtrue


  CorsFilter
org.apache.catalina.filters.CorsFilter
  
    cors.allowed.originshttps://your.domain.com
  



    HeaderSecurityFilter
    /*
    
    REQUEST
    FORWARD
    INCLUDE
    ERROR
    ASYNC


    CorsFilter
    /*
    
    REQUEST
    FORWARD
    INCLUDE
    ERROR
    ASYNC

ref:
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter
https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
HTTP Headers 的資安議題 (1)
HTTP Headers 的資安議題 (2)
HTTP Headers 的資安議題 (3)
張貼者:
標籤: ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)