工具研究:(二)Nginx及spring boot禁用OPTIONS TRACE不安全方法 |
您所在的位置:网站首页 › tomcat禁用options方法 › 工具研究:(二)Nginx及spring boot禁用OPTIONS TRACE不安全方法 |
一、背景 为了满足360安全检测的要求,由于系统要在政府网的云服务器上运行,360与政府均有合作,上线前必须获得360的安全认证,方可上线。 二、360安全要求,尽量用get和post的api的应用,禁用OPTIONS ,即对put,delete,tract等最不要使用,他们认为不安全。
三、nginx中的配置: server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; add_header Cache-Control no-cache; add_header Pragma no-cache; add_header Expires 0; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} #禁用options请求 if ($request_method !~* GET|POST) { return 403; } } 下面这个代码就是屏蔽非GET、POST类型请求,返回XXX状态码。 if ($request_method !~* GET|POST) { return 403; } 四、spring boot禁用Options的相关方法,在跨域过滤器中禁用相关的api方法: /** * * @ClassName: CorsConfig * @Description:决前后端分离调用时跨域问题.注意安全风险,更细粒度的控制,可在方法上 @CrossOrigin(origins = "url") * @author: zhongzk [email protected] * @date: 2018年9月6日 下午9:33:03 * * @Copyright: 2018 字节码团队www.bjsurong.com. All rights reserved. * */ @Configuration public class CorsConfig { @Bean public FilterRegistrationBean corsFilter() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); // 设置你要允许的网站域名,如果全允许则设为 * //config.addAllowedOrigin("http://localhost:4200"); config.addAllowedOrigin("*"); //自定义可选:Origin, X-Requested-With, Content-Type, Accept, Connection, User-Agent, Cookie,token //String allowHeaders = "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With, Authorization"; config.addAllowedHeader("*"); config.addExposedHeader("Authorization"); //以下或者用config.addAllowedMethod("*"); 为了满足360安全要求禁用了options以及put,deleted方法 // config.addAllowedMethod("OPTIONS"); config.addAllowedMethod("HEAD"); config.addAllowedMethod("GET"); // config.addAllowedMethod("PUT"); config.addAllowedMethod("POST"); // config.addAllowedMethod("DELETE"); config.addAllowedMethod("PATCH"); source.registerCorsConfiguration("/**", config); // return new CorsFilter(source); final FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source)); // 这个顺序很重要哦,为避免麻烦请设置在最前 bean.setOrder(0); return bean; } } |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |