如何在angularJS中将X-Frame-Options设置为响应标头? [英] How do I set X-Frame-Options as response header in angularJS?

问题描述

我从API的响应中收到X-Frame-Options标头，但是据我所知，为了防止点击劫持攻击，我需要在UI代码中添加它. UI代码(用angularjs编写)部署在Tomcat(版本7.0.72)服务器中.我尝试在我的应用程序的web.xml中添加以下过滤器.

I receive the X-Frame-Options header in the response from the API, but as I understand in order to prevent the clickjacking attack I need to add it in the UI code. The UI code( written in angularjs) is deployed in Tomcat (version 7.0.72) server. I tried adding the below filters in the web.xml of my application.

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>

但是，我看不到标题被添加.有人可以帮我找出解决方案吗?

Yet, I can't see the headers being added. Can someone please help me figure out the solution?

推荐答案

我找到了解决方案. X-Frame-Options响应标头需要通过Tomcat服务器上的web.xml添加.我的web.xml中缺少过滤器映射，因此没有添加标头.对于其他可能会遇到此问题的人，我将在web.xml中发布以下行:

I found the solution. The X-Frame-Options response header needs to be added via web.xml on Tomcat server. The filter-mapping was missing in my web.xml hence the headers were not getting added. For anyone else who might face this issue, I am posting the lines from web.xml here:

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>
  <filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
  <welcome-file-list>
      <welcome-file>index.html</welcome-file>
  </welcome-file-list>

通过此操作，将添加以下标头: •X框架选项 •X内容类型选项 •X-XSS-Protection

With this, the following headers get added: • X-Frame-Options • X-Content-Type-Options • X-XSS-Protection

如果您没有为每个标头指定值，则将设置每个标头的默认值.您可以在Tomcat服务器文档中找到默认值.

If you don't specify values for each of this header, the default value for each would be set. You can find the default values in Tomcat server docs.

这篇关于如何在angularJS中将X-Frame-Options设置为响应标头?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！