天天看点
返回

Web安全漏洞 X-Frame-Options响应头配置

介绍:可以参考

https://developer.mozilla.org/zh-CN/docs/Web/HTTP/X-Frame-Options

下面记录一下Java部分的写法

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * @author yc
 * Web安全漏洞 之 X-Frame-Options响应头配置
 */
public class FrameFilter implements Filter{

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest req = (HttpServletRequest) request;
		HttpServletResponse res = (HttpServletResponse) response;
		res.addHeader("x-frame-options","SAMEORIGIN");
		chain.doFilter(req, res);
	}

	@Override
	public void destroy() {
		
	}

}

代码写好后要在web.xml中进行配置,如下:

<filter>
		<filter-name>FrameFilter</filter-name>
		<filter-class>com.xx.xxx.filter.FrameFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>FrameFilter</filter-name><!-- 应与filter中的一致-->
		<url-pattern>/*</url-pattern>
	</filter-mapping>
java X-Frame-Options
上一篇: 点击劫持:X-Frame-Options头缺失 in a frame because it set 'X-Frame-Options' to 'deny'终极解决方案
下一篇: ASP.NET网站:点击劫持:X-Frame-Options Header未配置(漏洞)解决办法

继续阅读