jsp中添加:
<meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:">
servlet中添加:
/**解決Missing "Content-Security-Policy" header
* Missing "X-Content-Type-Options" header
* Missing "X-XSS-Protection" header導致Web 應用程序編程或配置不安全
* **/
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Methods", "POST, GET");//允許跨域的請求方式
// response.setHeader("Access-Control-Max-Age", "3600");//預檢請求的間隔時間
response.setHeader("Access-Control-Allow-Headers", "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,userId,token,Access-Control-Allow-Headers");//允許跨域請求攜帶的請求頭
response.setHeader("Access-Control-Allow-Credentials","true");//若要返回cookie、攜帶seesion等信息則將此項設置我true
response.setHeader("strict-transport-security","max-age=16070400; includeSubDomains");//簡稱爲HSTS。它允許一個HTTPS網站,要求瀏覽器總是通過HTTPS來訪問它
response.setHeader("Content-Security-Policy","default-src 'self'");//這個響應頭主要是用來定義頁面可以加載哪些資源,減少XSS的發生
response.setHeader("X-Content-Type-Options","nosniff");//互聯網上的資源有各種類型,通常瀏覽器會根據響應頭的Content-Type字段來分辨它們的類型。通過這個響應頭可以禁用瀏覽器的類型猜測行爲
response.setHeader("X-XSS-Protection","1; mode=block");//1; mode=block:啓用XSS保護,並在檢查到XSS攻擊時,停止渲染頁面
response.setHeader("X-Frame-Options","SAMEORIGIN");//SAMEORIGIN:不允許被本域以外的頁面嵌入;