与安全相关的head头包括
Content-Security-Policy(CSP):禁止调用其他网站的资源
Strict-Transport-Security(HSTS):http访问的用户,重定向为https
X-Content-Type-Options(XCTO):ie浏览器中文档类型自动判断功能
X-XSS-Protection(XSS Filter):ie的防浏览器中阻止XSS攻击的配置
CSP:
This document defines a mechanism by which web developers can control the resources which a particular page can fetch or execute, as well as a number of security-relevant policy decisions.
参考网址
首先,上官网:http://w3c.github.io/webappsec-csp/
之后,中文网址:http://open.chrome.360.cn/extension_dev/contentSecurityPolicy.html#H2-0
之后,中文博客:http://www.2cto.com/Article/201307/230739.html
配置方法:
HttpServletResponse res = (HttpServletResponse) arg1; res.setHeader("Content-Security-Policy", "default-src ‘self‘;script-src ‘self‘ ‘unsafe-inline‘;style-src ‘self‘ ‘unsafe-inline‘");
或者
<meta http-equiv="Content-Security-Policy" content="default-src ‘self‘;script-src ‘self‘ ‘unsafe-inline‘ ‘unsafe-eval‘;style-src ‘self‘ ‘unsafe-inline‘ ‘unsafe-eval‘">
‘unsafe-eval‘ 允许执行js反射函数(回调函数)
HSTS
参考网址 https://linux.cn/article-5266-1.html
简介: HTTP 严格传输安全(HSTS)是一种安全功能,web 服务器通过它来告诉浏览器仅用 HTTPS 来与之通讯,而不是使用 HTTP。
这是在服务器上配置的.
XCTO
参考网址 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options http://blog.sina.com.cn/s/blog_6cda35350102vvr6.html
简介 ie的文档类型自动判断功能
配置 X-Content-Type-Options:nosniff 选项来关闭IE的文档类型自动判断功能。
XXP
参考网址 https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
http://www.2cto.com/article/201506/406232.html
简介
X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions).
This header lets domains toggle on and off the "XSS Filter" of IE8, which prevents some categories of XSS attacks.
IE8 has the filter activated by default, but servers can switch if off by setting
配置方式
X-XSS-Protection: 1; mode=block
0 – 关闭对浏览器的xss防护 1 – 开启xss防护 1; mode=block – 开启xss防护并通知浏览器阻止而不是过滤用户注入的脚本。
1; report=http://site.com/report – 这个只有chrome和webkit内核的浏览器支持,这种模式告诉浏览器当发现疑似xss攻击的时候就将这部分数据post到指定地址。
其他的以后陆续补充
原文:http://www.cnblogs.com/lakeslove/p/6377873.html