host頭部攻擊解決方案
阿新 • • 發佈:2021-12-06
方法一:過濾器
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req=(HttpServletRequest) request; // http host頭攻擊漏洞校驗 HttpServletResponse res = (HttpServletResponse) response; String requestHost = req.getHeader("host"); if (requestHost != null && isRightHost(requestHost)){ res.setStatus(403); return; } chain.doFilter(request, response); } // http host頭漏洞攻擊判斷 public boolean isRightHost(String requestHost){ if(requestHost.indexOf("www.xxx.com") == -1 && requestHost.indexOf("伺服器IP") == -1) { return true; } return false; }
方法二:nginx
if ($http_Host != '域名或ip:埠'){
return 403;
}
或
if ($http_Host !~*^域名或ip:埠$) {
return 403;這裡可以自定義介面 參考
}
方法三:tomcat
Tomcat,修改server.xml檔案,配置Host的name屬性。
將Host裡的name修改為靜態的域名,如下: