在我的 Web 应用程序中,我使用 owasp ZED 工具来检查安全漏洞。我发现没有设置 X-Content-Type-Options 和 Content-Type 标头。
在我的交叉过滤器中,我在 HTTPResponse 对象中添加了标头
@WebFilter("/*")
public class CrossFilter implements Filter {
private static CoreLogger logger=LoggerFactory.getLogger(FirstServlet.class);
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filter) throws IOException,
ServletException {
try{
HttpServletResponse httpServletResponse = (HttpServletResponse ) servletResponse ;
httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");
httpServletResponse.setHeader("Access-Control-Allow-Headers", "origin, content-type, accept, authorization");
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
httpServletResponse.setHeader("Access-Control-Max-Age", "1209600");
httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
httpServletResponse.setHeader("Content-Type", "text/plain");
filter.doFilter(servletRequest, servletResponse);
}catch(Exception exc){
logger.info(exc.getMessage());
if(logger.isDebugEnabled()){
logger.error(exc.getMessage(),exc);
}
}
}
现在,当我尝试通过浏览器访问应用程序时,它会显示 HTML 的来源。我以为我添加了 text/plain 是错误的,我尝试了 text/html ,但错误仍然存在。
如果我做错了,谁能帮帮我?