如何将X-Content-Type-Options添加到tomcat配置中

Question

我的客户希望我修复My Web App的Web App漏洞,这是关于My Web App漏洞的消息

Anti-MIME-Sniffing标头X-Content-Type-Options未设置为'nosniff'

此检查特定于Internet Explorer 8和Google Chrome.如果Content-Type标头未知,请确保每个页面设置> Content-Type标头和X-CONTENT-TYPE-OPTIONS

虽然我已经找到了解决这个问题的方法,但我正在寻找tomcat配置的解决方案.是否可以对tomcat配置进行更改以实现此目的？

请给我任何想法.

Answer 1

如果您正在使用Tomcat 8,那很简单 - 将这两个部分添加到您的web.xml:

<filter>
    <filter-name>HeaderSecurityFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HeaderSecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

服务器响应现在默认为'nosniff'和X-Frame-Options:DENY

更多细节:Tomcat 8过滤器配置

Answer 2

我认为您可以通过以下步骤在Tomcat级别实现它:

• 创建你的过滤器,将其打包到jar中,然后放入jar $CATALINA_BASE/lib/
• 将过滤器定义添加到 $CATALINA_BASE/conf/web.xml

Answer 3

示例过滤器类代码.

public class SampleResponseFilter implements Filter  {

  @Override
  public void destroy() { }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException
  {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;
    // Protection against Type 1 Reflected XSS attacks
    res.addHeader("X-XSS-Protection", "1; mode=block");
    // Disabling browsers to perform risky mime sniffing
    res.addHeader("X-Content-Type-Options", "nosniff");
    chain.doFilter(req,res);
  }

  @Override
  public void init(FilterConfig filterConfig) throws ServletException { }
}