java WEB專案安全問題
1.啟用了不安全的HTTP方法:
--修改WEB應用的web.xml
--修改Tomcat的web.xml
新增以下程式碼:
<security-constraint>
<web-resource-collection>
<web-resource-name>fortune</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
--<security-constraint>用於限制對資源的訪問;
--<auth-constraint>用於限制那些角色可以訪問資源,這裡設定為空就是禁止所有角色使用者訪問;
--<url-pattern>指定需要驗證的資源
--<http-method>指定那些方法需要驗證
2.X-Frame-Options Header未配置:
參考 https://blog.csdn.net/chanlingmai5374/article/details/78674815