假设弹簧安全和弹簧mvc的工作问候世界的例子.
当我使用wireshark进行跟踪时,我在http请求中看到以下标志
X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly
我想将此添加到我的标题:
Content-Security-Policy: script-src 'self'
我知道X-Frame-Options几乎完成了同样的工作,但它仍然让我睡得更好.现在我想我需要在我的spring安全配置的配置功能下进行,但我不知道究竟是怎么回事,即我想.headers().something.something(self)
@Override protected void configure(HttpSecurity http) throws Exception { http // .csrf().disable() // .headers().disable() .authorizeRequests() .antMatchers( "/register", "/static/**", "/h2/**", "/resources/**", "/resources/static/css/**", "/resources/static/img/**" , "/resources/static/js/**", "/resources/static/pdf/**" ).permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); }
Christopher .. 16
只需使用addHeaderWriter方法,如下所示:
@EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // ... .headers() .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'")) // ... } }
请注意,只要您指定应包含的任何标头,那么只会包含这些标头.
要包含默认标头,您可以执行以下操作:
http .headers() .contentTypeOptions() .xssProtection() .cacheControl() .httpStrictTransportSecurity() .frameOptions() .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'")) // ...
您可以参考spring安全文档.
只需使用addHeaderWriter方法,如下所示:
@EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // ... .headers() .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'")) // ... } }
请注意,只要您指定应包含的任何标头,那么只会包含这些标头.
要包含默认标头,您可以执行以下操作:
http .headers() .contentTypeOptions() .xssProtection() .cacheControl() .httpStrictTransportSecurity() .frameOptions() .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'")) // ...
您可以参考spring安全文档.
虽然这种方法StaticHeadersWriter
有效,但在最新版本的Spring Security中,可以使用一种特殊的方法:
headers() .contentSecurityPolicy("script-src 'self'");
有关详细信息,请参阅文档:https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure