java - How to prevent all project from attack, seems like spring didn't protect all site -
spring security
i have prevent attack (xss , xframe ,x-content)
but resault owasp zap , seems pretect jsp file ,not project
for example, these site under webcontent still can't prevent attack
http://localhost:8080/my_project/javascript/login.js http://localhost:8080/my_project/javascript/manager.js http://localhost:8080/my_project/ui/bootstrap/dist/css/bootstrap.min.css how can protect web site ?
here method now:
add securityheadersinterceptor.java
public class securityheadersinterceptor extends handlerinterceptoradapter { @override public void posthandle(httpservletrequest request, httpservletresponse response, object handler, modelandview modelandview) throws exception { response.setheader("x-content-type-options", "nosniff"); response.setheader("x-frame-options", "deny"); response.setheader("x-xss-protection", "1; mode=block"); super.posthandle(request, response, handler, modelandview); } } and use interceptors
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/**"/> <bean class="com.my.project.interceptor.securityheadersinterceptor"/> </mvc:interceptor> </mvc:interceptors>
Comments
Post a Comment