点击劫持:X-Frame-Options未配置
生活随笔
收集整理的這篇文章主要介紹了
点击劫持:X-Frame-Options未配置
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
解決方案:設置X-Frame-Options參數即可
具體操作步驟如下:
在上面filter基礎上添加即可解決
附上源碼:
package com.sinosoft.fis.util;import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession;/*** 功能描述:* <p>* 1.Cookie 設置 httpOnly屬性 Cookie * 2.設置 httpOnly屬性防止js讀取cookie* </p>** @author gblfy*/ public class CookieHttpOnlyFilter implements Filter {public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {if (!(request instanceof HttpServletRequest)) {chain.doFilter(request, response);return;}HttpServletRequest httpReq = (HttpServletRequest) request;HttpServletResponse httpResp = (HttpServletResponse) response;Cookie[] cookies = httpReq.getCookies();if (cookies != null) {Cookie cookie = cookies[0];if (cookie != null) {HttpSession session = httpReq.getSession();if (session != null) {String sessionId = session.getId();// http設置httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId + "; Path=/fis; HttpOnly");httpResp.addHeader("x-frame-options","DENY"); // httpResp.addHeader("x-frame-options","SAMEORIGIN");// https設置 // httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId // + "; Path=/admin;Secure; HttpOnly");}}}chain.doFilter(httpReq, httpResp);}public void destroy() {}public void init(FilterConfig filterConfig) throws ServletException {}}谷歌測試效果圖:
漏洞參考連接:
https://www.cnblogs.com/wdnnccey/p/6476518.html
總結
以上是生活随笔為你收集整理的点击劫持:X-Frame-Options未配置的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux 创建用户和修改新增用户默认的
- 下一篇: vsftpd常用操作