安全头

WebRoot/WEB-INF/web.xml

@@ -82,6 +82,7 @@
     	<filter-name>Set Character Encoding</filter-name>
     	<url-pattern>/*</url-pattern>
 	</filter-mapping>
+
 	 <filter>
 		<filter-name>AjaxAnywhere</filter-name>
 		<filter-class>org.ajaxanywhere.AAFilter</filter-class>
@@ -91,6 +92,15 @@
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
 
+	<filter>
+		<filter-name>SecurityHeadersFilter</filter-name>
+		<filter-class>com.ccgj.platform.interceptor.SecurityHeadersFilter</filter-class>
+	</filter>
+	<filter-mapping>
+		<filter-name>SecurityHeadersFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
 
 
 	<filter>

src/com/ccgj/platform/interceptor/SecurityHeadersFilter.java

@@ -0,0 +1,26 @@
+package com.ccgj.platform.interceptor;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class SecurityHeadersFilter implements Filter {
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        // 设置安全头
+        httpResponse.setHeader("X-Content-Type-Options", "nosniff");
+        httpResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
+        httpResponse.setHeader("X-XSS-Protection", "1; mode=block");
+        httpResponse.setHeader("Content-Security-Policy", "default-src 'self'");
+        httpResponse.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+
+        chain.doFilter(request, httpResponse);
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) {}
+
+    @Override
+    public void destroy() {}
+}