修改 tomcat-home/conf/web.xml (對所有apps生效):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | <filter> <filter-name>HeaderSecurityFilter</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsEnabled</param-name><param-value>true</param-value></init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name><param-value>15768000</param-value></init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name><param-value>true</param-value></init-param> <init-param> <param-name>antiClickJackingEnabled</param-name><param-value>true</param-value></init-param> <init-param> <param-name>antiClickJackingOption</param-name><param-value>SAMEORIGIN</param-value></init-param> <init-param> <param-name>antiClickJackingUri</param-name><param-value></param-value></init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name><param-value>true</param-value></init-param> <init-param> <param-name>xssProtectionEnabled</param-name><param-value>true</param-value></init-param></filter><filter> <filter-name>CorsFilter</filter-name><filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name><param-value>https://your.domain.com</param-value></init-param> <!-- <init-param> <param-name>cors.allowed.methods</param-name><param-value>GET,POST,HEAD,OPTIONS,PUT</param-value></init-param> <init-param> <param-name>cors.allowed.headers</param-name><param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value></init-param> <init-param> <param-name>cors.exposed.headers</param-name><param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value></init-param> <init-param> <param-name>cors.support.credentials</param-name><param-value>true</param-value></init-param> <init-param> <param-name>cors.preflight.maxage</param-name><param-value>10</param-value></init-param> --></filter><filter-mapping> <filter-name>HeaderSecurityFilter</filter-name> <url-pattern>/*</url-pattern> <!--<servlet-name>*</servlet-name>--> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> <dispatcher>ASYNC</dispatcher></filter-mapping><filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> <!--<servlet-name>*</servlet-name>--> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> <dispatcher>ASYNC</dispatcher></filter-mapping> |
ref:
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter
https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
HTTP Headers 的資安議題 (1)
HTTP Headers 的資安議題 (2)
HTTP Headers 的資安議題 (3)
沒有留言:
張貼留言