向网站添加附加安全性 [英] Adding additonal Security to Website

问题描述

我正在运行一个基于Java Spring MVC的Web应用程序.它还基于Hybris平台.

I am running a Java Spring MVC based Web-Application. It is also based on the Hybris Platform.

现在，已经实现了有关身份验证和授权的基本功能.意味着我们确实有用于会话，有效的用户系统等的过滤器.

Now, the basic functionality in terms of Authentication and Authorization is already implemented. Meaning we do have filters for sessions, a working user-system, etc.

但是，我们目前还没有针对诸如XSS和其他可能的攻击之类的安全措施. XSS可能是最大的问题，因为它是最常见的攻击方式.

However, we currently have no security measurements against things such as XSS and other kinds of possible attacks that are out there. XSS is probably the biggest concern as it is the most common possible way of attacking.

现在，我想知道...明智地采取什么步骤? 我环顾四周，我发现存在像XSS-Filter这样的东西. 实施起来非常简单，只需复制源代码，然后将其添加为tomcats web.xml中即可.

Now, i wonder ... what steps would be smart to take? I have taken a look around and i have seen that stuff like XSS-Filter exist. Implementing such would be pretty easy, just copy past the source and add it as a in tomcats web.xml.

但是我想知道这样的过滤器是否足以满足安全要求?

But i wonder if that is a satisfying amount of security from such filter?

还有其他方法，例如我可以使用spring-security. 但是，在阅读文档时，我觉得这很and肿，其中很大一部分实现了已经实现的功能(例如，两个A).我觉得将它配置为我需要做的工作量需要很多工作. 我错了吗?

There are also way more bloated solutions, for example i could use the spring-security. However, reading the documentations, i feel like this is very bloated and a large part of it implements what is already implemented ( the two A's, for example). I feel like it would take a lot of work to configure it down to the amount of work that i need it to do. Am i wrong?

并且:

您如何建议处理XSS等安全问题?您是否通过遵循

How would you say is it recommended to deal with security issues, for example XSS? Do you use a certain predefined framework that suits the needs or is your security "hand-made" by following things like the cheat sheet?

推荐答案

1. 设置Anti-XSS标头(提示:使用Spring Security或创建自己的

2. 防止恶意的入站HTML/JS/CSS

3. Prevent malicious inbound HTML/JS/CSS

   使用 Hibernate Validator (您无需使用Hibernate ORM即可使用此)，并在所有用户提供的String字段上使用@SafeHtml注释.

   Use Hibernate Validator (you don't need to use Hibernate ORM to use this) with the @SafeHtml annotation on all user-supplied String fields.

   您可以在一个拦截器中验证所有请求标头，发布参数和查询参数，以简化XSS验证.

   You could validate all request headers, post params and query params in one Interceptor for simplistic XSS validation.

   在输出中转义所有用户提供的数据

   Escape all user-supplied data on output

   使用OWASP的 Java编码器项目 <e:forHtml value="${attr}" />转义输出或JSTL的<c:out value="${attr}"/>并在web.xml设置

   Use OWASP's Java Encoder Project <e:forHtml value="${attr}" /> to escape output or JSTL's <c:out value="${attr}"/> and in web.xml set

   <context-param>
       <param-name>defaultHtmlEscape</param-name>
       <param-value>true</param-value>
   </context-param>
   

   如果转义HTML节点文本，它们同样安全，但是OWASP对于HTML属性或<script>转义更安全.

   They are equally safe if escaping HTML node text, but OWASP is safer for HTML attribute or <script> escaping.

   如果要编辑的文件太多，请考虑

   If you have too many files to edit, consider http://pukkaone.github.io/2011/01/03/jsp-cross-site-scripting-elresolver.html

   使您的会话cookie无法被JavaScript读取.在web.xml:

   Make your session cookie unreadable by JavaScript. In web.xml:

   <session-config>
       <cookie-config>
           <!-- browser will disallow JavaScript access to session cookie -->
           <http-only>true</http-only>
       </cookie-config>
       <tracking-mode>COOKIE</tracking-mode>
   </session-config>
   

4. 如果您托管的是用户上传的文件，则需要使用其他域(而非子域)进行下载链接，以使恶意内容无法破坏您的会话Cookie(是的，即使是httpOnly也可能发生)

5. If you are hosting user-uploaded files, you need to use a different domain (not subdomain) for download links, so that evil content cannot clobber your session cookie (yes, this can happen even if it's httpOnly)

   这篇关于向网站添加附加安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！