解决:IIS/Apache/Nginx/Tomcat响应头缺失低危漏洞方法
2023-10-26 Umming 建站基础 评论(0) 浏览(3313)
前言:经常遇到网站被扫描有响应头缺失的漏洞,本问将介绍如何处理IIS、Apache、Nginx、Tomcat(java)下修复响应头缺失的漏洞方法,例如 X-Content-Type-Options响应头缺失、Referrer-Policy响应头缺失、X-XSS-Protection响应头缺失、X-Download-Options响应头缺失、Strict-Transport-Security响应头缺失、Content-Security-Policy响应头缺失、X-Permitted-Cross-Domain-Policies响应头缺失、X-Frame-Options未配置方法。相对大家有帮助。
解决方法:
1、IIS7及以上版本。
2、Apache
3、Nginx
在站点配置文件中添加如下规则。
4、Tomcat
从java程序层面禁止响应头。
5、PHP程序层面上禁止响应头
解决方法:
1、IIS7及以上版本。
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<!--检测到目标X-Content-Type-Options响应头缺失-->
<add name="X-Content-Type-Options" value="nosniff" />
<!--检测到目标X-XSS-Protection响应头缺失-->
<add name="X-XSS-Protection" value="1;mode=block" />
<!--检测到目标Content-Security-Policy响应头缺失-->
<add name="Content-Security-Policy" value="default-src 'self'" />
<!--检测到目标Strict-Transport-Security响应头缺失-->
<add name="Strict-Transport-Security" value="max-age=31536000" />
<!--检测到目标Referrer-Policy响应头缺失-->
<add name="Referrer-Policy" value="origin-when-cross-origin" />
<!--检测到目标X-Permitted-Cross-Domain-Policies响应头缺失-->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!--检测到目标X-Download-Options响应头缺失-->
<add name="X-Download-Options" value="noopen" />
<!--点击劫持:X-Frame-Options未配置-->
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
2、Apache
在conf配置文件或网站根目录下创建.htaccess,在其中添加以下规则: #检测到目标X-Content-Type-Options响应头缺失 Header set X-Content-Type-Options "nosniff" #检测到目标X-XSS-Protection响应头缺失 Header set X-XSS-Protection "1; mode=block" #检测到目标Strict-Transport-Security响应头缺失 Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;" #检测到目标Referrer-Policy响应头缺失 Header set Referrer-Policy: strict-origin-when-cross-origin #检测到目标X-Permitted-Cross-Domain-Policies响应头缺失 Header set X-Permitted-Cross-Domain-Policies "master-only" #检测到目标X-Download-Options响应头缺失 Header set X-Download-Options "noopen" #点击劫持:X-Frame-Options未配置 Header set X-Frame-Options "SAMEORIGIN"
3、Nginx
在站点配置文件中添加如下规则。
#检测到目标X-Content-Type-Options响应头缺失
add_header 'Referrer-Policy' 'origin';
#检测到错误页面web应用服务器版本信息泄露
修改404页面及500页面,不要出现apache、nginx等字样
#检测到目标Referrer-Policy响应头缺失
add_header 'Referrer-Policy' 'origin';
#检测到目标X-XSS-Protection响应头缺失
add_header X-Xss-header “1;mode=block”;
#检测到目标X-Download-Options响应头缺失
add_header X-Download-Options "noopen" always;
#检测到目标Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#检测到目标Content-Security-Policy响应头缺失
add_header X-Frame-Options SAMEORIGIN;
#检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
header("X-Permitted-Cross-Domain-Policies:'master-only';");
#点击劫持:X-Frame-Options未配置
add_header X-Frame-Options SAMEORIGIN;
范例:location / {
。。。。
## nginx代理配置
。。。。
# 相关安全漏洞响应头
# 检测到目标 X-Content-Type-Options响应头缺失 这个暂时不开启,不然部分banner无法使用
#add_header X-Content-Type-Options "nosniff";
# 检测到目标 X-XSS-Protection响应头缺失
add_header X-XSS-Protection "1; mode=block";
# 检测到目标 Content-Security-Policy响应头缺失
add_header Content-Security-Policy "default-src 'self' http: https://* data: blob: 'unsafe-eval' 'unsafe-inline';child-src 'none' " always;
# 检测到目标 Referrer-Policy响应头缺失
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# 检测到目标 X-Permitted-Cross-Domain-Policies响应头缺失
add_header X-Permitted-Cross-Domain-Policies none;
# 检测到目标 X-Download-Options响应头缺失
add_header X-Download-Options noopen;
# 检测到目标 Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}
4、Tomcat
从java程序层面禁止响应头。
/**
* @author ZQQ
* @version 1.0
* @date 2021/9/22 15:54
* @desc :
*/
@WebFilter(urlPatterns = "/*", filterName = "responseHeadFilter")
public class ResponseHeadFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException, IOException {
//增加响应头缺失代码
HttpServletRequest req=(HttpServletRequest)request;
HttpServletResponse res=(HttpServletResponse)response;
res.addHeader("X-Frame-Options","SAMEORIGIN");
res.addHeader("Referrer-Policy","origin");
res.addHeader("Content-Security-Policy","object-src 'self'");
res.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
res.addHeader("X-Content-Type-Options","nosniff");
res.addHeader("X-XSS-Protection","1; mode=block");
res.addHeader("X-Download-Options","noopen");
res.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");
//处理cookie问题
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append(cookie.getName()+"="+value+";");
builder.append("Secure;");//Cookie设置Secure标识
builder.append("HttpOnly;");//Cookie设置HttpOnly
res.addHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
5、PHP程序层面上禁止响应头
header("X-Frame-Options:SAMEORIGIN;"); // X-Frame-Options 响应头缺失
header("Referer-Policy:origin;");//Referer-Policy 响应头缺失
header("Content-Security-Policy:frame-ancestors 'self';");//Content-Security-Policy 响应头缺失
header("X-Permitted-Cross-Domain-Policies:'master-only';");//X-Permitted-Cross-Domain-Policies 响应头缺失
header("X-XSS-Protection:1; mode=block;");//X-XSS-Protection 响应头缺失
header("X-Download-Options: SAMEORIGIN;");//X-Download-Options 响应头缺失
header("X-Content-Type-Options:nosniff;");//X-Content-Type-Options 响应头缺失
header("Strict-Transport-Security:max-age=31536000;");//Strict-Transport-Security 响应头缺失
标签: 低危漏洞解决
上一篇: Apache部署网站SSL后在MAC电脑Safari访问提示 nsposixerrordomain: 100,在iOS手机afari上访问,就直接返回上一页
下一篇: js提取对象数组中的某一个属性组成新数组
本文链接:https://www.umming.com/basic/320.html
声明:本站信息由网友自行发布或来源于网络,真实性、合法性由发布人负责,请仔细甄别!本站只为传递信息,我们不做任何双方证明,也不承担任何法律责任。文章内容若侵犯你的权益,请联系本站删除!
也许你还会对下面的内容感兴趣:
发表评论: