当前位置: 首页 >> 安全维护 >> 技术文章

解决:IIS/Apache/Nginx/Tomcat响应头缺失低危漏洞方法。

前言:经常遇到网站被扫描有响应头缺失的漏洞,本问将介绍如何处理IIS、Apache、Nginx、Tomcat(java)下修复响应头缺失的漏洞方法,例如 X-Content-Type-Options响应头缺失、Referrer-Policy响应头缺失、X-XSS-Protection响应头缺失、X-Download-Options响应头缺失、Strict-Transport-Security响应头缺失、Content-Security-Policy响应头缺失、X-Permitted-Cross-Domain-Policies响应头缺失、X-Frame-Options未配置方法。相对大家有帮助。

解决方法:

1、IIS7及以上版本。

<?xml version="1.0" encoding="UTF-8"?>

 <configuration>

  <system.webServer>

   <httpProtocol>

    <customHeaders>

     <!--检测到目标X-Content-Type-Options响应头缺失-->

     <add name="X-Content-Type-Options" value="nosniff" />

     <!--检测到目标X-XSS-Protection响应头缺失-->

     <add name="X-XSS-Protection" value="1;mode=block" />

     <!--检测到目标Content-Security-Policy响应头缺失-->

     <add name="Content-Security-Policy" value="default-src 'self'" />

     <!--检测到目标Strict-Transport-Security响应头缺失-->

     <add name="Strict-Transport-Security" value="max-age=31536000" />

     <!--检测到目标Referrer-Policy响应头缺失-->

     <add name="Referrer-Policy" value="origin-when-cross-origin" />

     <!--检测到目标X-Permitted-Cross-Domain-Policies响应头缺失-->

     <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

     <!--检测到目标X-Download-Options响应头缺失-->

     <add name="X-Download-Options" value="noopen" />

     <!--点击劫持:X-Frame-Options未配置-->

    <add name="X-Frame-Options" value="SAMEORIGIN" />

   </customHeaders>

  </httpProtocol>

 </system.webServer>

</configuration>


2、Apache

在conf配置文件或网站根目录下创建.htaccess,在其中添加以下规则:

#检测到目标X-Content-Type-Options响应头缺失

Header set X-Content-Type-Options "nosniff"

#检测到目标X-XSS-Protection响应头缺失

Header set X-XSS-Protection "1; mode=block"

#检测到目标Strict-Transport-Security响应头缺失

Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;"

#检测到目标Referrer-Policy响应头缺失

Header set Referrer-Policy: strict-origin-when-cross-origin

#检测到目标X-Permitted-Cross-Domain-Policies响应头缺失

Header set X-Permitted-Cross-Domain-Policies "master-only"

#检测到目标X-Download-Options响应头缺失

Header set X-Download-Options "noopen"

#点击劫持:X-Frame-Options未配置

Header set X-Frame-Options "SAMEORIGIN"


3、Nginx

在站点配置文件中添加如下规则。

 

#检测到目标X-Content-Type-Options响应头缺失

add_header 'Referrer-Policy' 'origin';

#检测到错误页面web应用服务器版本信息泄露

修改404页面及500页面,不要出现apache、nginx等字样

#检测到目标Referrer-Policy响应头缺失

add_header 'Referrer-Policy' 'origin';

#检测到目标X-XSS-Protection响应头缺失

add_header X-Xss-header  “1;mode=block”;

#检测到目标X-Download-Options响应头缺失

add_header X-Download-Options "noopen" always;

#检测到目标Strict-Transport-Security响应头缺失

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

#检测到目标Content-Security-Policy响应头缺失

add_header X-Frame-Options SAMEORIGIN;

#检测到目标X-Permitted-Cross-Domain-Policies响应头缺失

header("X-Permitted-Cross-Domain-Policies:'master-only';");

#点击劫持:X-Frame-Options未配置

add_header X-Frame-Options SAMEORIGIN;


范例:

location / {

    。。。。

    ## nginx代理配置

    。。。。    

    # 相关安全漏洞响应头

    # 检测到目标 X-Content-Type-Options响应头缺失 这个暂时不开启,不然部分banner无法使用

    #add_header X-Content-Type-Options "nosniff";

    # 检测到目标 X-XSS-Protection响应头缺失

    add_header X-XSS-Protection "1; mode=block";

    # 检测到目标 Content-Security-Policy响应头缺失

    add_header Content-Security-Policy "default-src 'self' http: https://* data: blob: 'unsafe-eval' 'unsafe-inline';child-src 'none' " always;

    # 检测到目标 Referrer-Policy响应头缺失

    add_header Referrer-Policy "no-referrer-when-downgrade" always;

    # 检测到目标 X-Permitted-Cross-Domain-Policies响应头缺失

    add_header X-Permitted-Cross-Domain-Policies none;

    # 检测到目标 X-Download-Options响应头缺失

    add_header X-Download-Options noopen;

    # 检测到目标 Strict-Transport-Security响应头缺失

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

}


 


4、Tomcat

从java程序层面禁止响应头。

/**

 * @author ZQQ

 * @version 1.0

 * @date 2021/9/22 15:54

 * @desc :

 */

@WebFilter(urlPatterns = "/*", filterName = "responseHeadFilter")

public class ResponseHeadFilter implements Filter {

 

    @Override

    public void init(FilterConfig filterConfig) throws ServletException {

 

    }

 

    public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException, IOException {

        //增加响应头缺失代码

        HttpServletRequest req=(HttpServletRequest)request;

        HttpServletResponse res=(HttpServletResponse)response;

        res.addHeader("X-Frame-Options","SAMEORIGIN");

        res.addHeader("Referrer-Policy","origin");

        res.addHeader("Content-Security-Policy","object-src 'self'");

        res.addHeader("X-Permitted-Cross-Domain-Policies","master-only");

        res.addHeader("X-Content-Type-Options","nosniff");

        res.addHeader("X-XSS-Protection","1; mode=block");

        res.addHeader("X-Download-Options","noopen");

        res.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");

        //处理cookie问题

        Cookie[] cookies = req.getCookies();

        if (cookies != null) {

            for (Cookie cookie : cookies) {

                String value = cookie.getValue();

                StringBuilder builder = new StringBuilder();

                builder.append(cookie.getName()+"="+value+";");

                builder.append("Secure;");//Cookie设置Secure标识

                builder.append("HttpOnly;");//Cookie设置HttpOnly

                res.addHeader("Set-Cookie", builder.toString());

            }

        }

        chain.doFilter(request, response);

    }

    @Override

    public void destroy() {

 

    }

}



5、PHP程序层面上禁止响应头

header("X-Frame-Options:SAMEORIGIN;");  // X-Frame-Options 响应头缺失

header("Referer-Policy:origin;");//Referer-Policy 响应头缺失

header("Content-Security-Policy:frame-ancestors 'self';");//Content-Security-Policy 响应头缺失

header("X-Permitted-Cross-Domain-Policies:'master-only';");//X-Permitted-Cross-Domain-Policies 响应头缺失

header("X-XSS-Protection:1; mode=block;");//X-XSS-Protection 响应头缺失

header("X-Download-Options: SAMEORIGIN;");//X-Download-Options 响应头缺失

header("X-Content-Type-Options:nosniff;");//X-Content-Type-Options 响应头缺失

header("Strict-Transport-Security:max-age=31536000;");//Strict-Transport-Security 响应头缺失


如果觉得麻烦,可以联系我们进行处理,技术手机微信同号:18179454891   QQ:2573214053
更新时间:2023-09-28

相关推荐

收缩