在tomcat中配置Content-Security-Policy [英] configuring Content-Security-Policy in tomcat

问题描述

我了解了有关配置/实现Content-Security-Policy标头的信息，并且遇到了两种实现方法:

I read about configuring/implementing Content-Security-Policy header and I came accross 2 ways of doing it:

1. 使用自定义过滤器来实现请注意，此问题与此链接

   Please note that this question is not duplicate of this, Iam looking for a solution better than given in this link

   我看到(1)中的缺点是通过代码驱动的，而不是通过配置文件驱动的，选项(2)中的缺点是，如果我说有100个html文件，则需要在每个HTML中放入此标记吗?(如我错了请纠正我)我正在寻找的解决方案是可以在web.xml中配置的解决方案，并且适用于所有html文件.如在给定的此处，难道我们没有在web.xml中配置Content-Security-Policy的类似方法吗?

   I see the drawbacks in (1) is its driven through code, not through a configuration file , drawbacks in option (2) is if I have say 100 html files, I need to put this tag in every HTML? (correct me if I'm wrong) The solution I'm looking for is something I can configure in web.xml and becomes applicable for all the html files. Something the way we do in case of configuring X-Frame-Options in web.xml like given here, don't we have similar way of configuring Content-Security-Policy in web.xml ?

   推荐答案

   在web.xml中配置内容安全策略

   您可以使用 OWASP 在此处.它是一个Web过滤器，您可以在后端中实现.

   Configure content-security-policy in web.xml

   You can use the recommendation provided by OWASP here. It is a web filter that you can implement in your backend.

   然后必须在 web.xml 文件中定义以下过滤器.在应用程序中的每个请求上都会调用此方法.在Java中，您可以通过创建适当的类来做到这一点.

   The below filter has to be then defined in your web.xml file. This gets called on every request in your application. In java you may do that by creating an appropriate class.

       <filter>
           <filter-name>ContentSecurityPolicy</filter-name>
           <filter-class>YourPackagePath.ContentSecurityPolicyFilter</filter-class>
       </filter>
       <filter-mapping>
           <filter-name>ContentSecurityPolicy</filter-name>
           <url-pattern>/*</url-pattern>
       </filter-mapping>
   

   以上内容将在HTTP标头中实现content-security-policy的以下值

   The above will implement the below values for content-security-policy in your HTTP Header

   default-src'none';style-src'self''unsafe-inline';script-src'self''unsafe-inline''unsafe-eval';img-src'self';frame-src'self';connect-src'自我';形式动作自我"；反射xss块

   这篇关于在tomcat中配置Content-Security-Policy的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！