SpringSecurity过滤器之HeaderWriterFilter
HeaderWriterFilter用于对当前的HttpServletResponse添加某些浏览器保护的响应头。HeaderWriterFilter由HeadersConfigurer配置,在执行HeadersConfigurer#configure时调用createHeaderWriterFilter创建HeaderWriterFilter,同时添加了HeaderWriter集合:
private List<HeaderWriter> getHeaderWriters() {
List<HeaderWriter> writers = new ArrayList<>();
addIfNotNull(writers, this.contentTypeOptions.writer);
addIfNotNull(writers, this.xssProtection.writer);
addIfNotNull(writers, this.cacheControl.writer);
addIfNotNull(writers, this.hsts.writer);
addIfNotNull(writers, this.frameOptions.writer);
addIfNotNull(writers, this.hpkp.writer);
addIfNotNull(writers, this.contentSecurityPolicy.writer);
addIfNotNull(writers, this.referrerPolicy.writer);
addIfNotNull(writers, this.featurePolicy.writer);
addIfNotNull(writers, this.permissionsPolicy.writer);
addIfNotNull(writers, this.crossOriginOpenerPolicy.writer);
addIfNotNull(writers, this.crossOriginEmbedderPolicy.writer);
addIfNotNull(writers, this.crossOriginResourcePolicy.writer);
writers.addAll(this.headerWriters);
return writers;
}
默认情况下添加的HeaderWriter有XContentTypeOptionsHeaderWriter,XXssProtectionHeaderWriter,CacheControlHeadersWriter,HstsHeaderWriter,XFrameOptionsHeaderWriter。
XContentTypeOptionsHeaderWriter#XContentTypeOptionsHeaderWriter()
public XContentTypeOptionsHeaderWriter() {
super("X-Content-Type-Options", "nosniff");
}
XContentTypeOptionsHeaderWriter构造函数添加了X-Content-Type-Options用于防止内容嗅探。调用父类的writeHeaders将响应头添加到响应中。
XXssProtectionHeaderWriter#writeHeaders(HttpServletRequest request, HttpServletResponse response)
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
if (!response.containsHeader(XSS_PROTECTION_HEADER)) {
response.setHeader(XSS_PROTECTION_HEADER, this.headerValue);
}
}
XSS_PROTECTION_HEADER是X-XSS-Protection,headerValue是1; mode=block。X-XSS-Protection响应头含义参考https://blog.csdn.net/suo082407128/article/details/104940753。
CacheControlHeadersWriter
public CacheControlHeadersWriter() {
this.delegate = new StaticHeadersWriter(createHeaders());
}
private static List<Header> createHeaders() {
List<Header> headers = new ArrayList<>(3);
headers.add(new Header(CACHE_CONTROL, "no-cache, no-store, max-age=0, must-revalidate"));
headers.add(new Header(PRAGMA, "no-cache"));
headers.add(new Header(EXPIRES, "0"));
return headers;
}
添加响应头Cache-Control:no-cache, no-store, max-age=0, must-revalidate;Pragma:no-cache;Expires:0三个响应头阻止缓存。
HstsHeaderWriter
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
if (!this.requestMatcher.matches(request)) {
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.format("Not injecting HSTS header since it did not match request to [%s]",
this.requestMatcher));
}
return;
}
if (!response.containsHeader(HSTS_HEADER_NAME)) {
response.setHeader(HSTS_HEADER_NAME, this.hstsHeaderValue);
}
}
添加Strict-Transport-Security响应头用于HTTP Strict Transport Security (HSTS)。
XFrameOptionsHeaderWriter
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
if (XFrameOptionsMode.ALLOW_FROM.equals(this.frameOptionsMode)) {
String allowFromValue = this.allowFromStrategy.getAllowFromValue(request);
if (XFrameOptionsMode.DENY.getMode().equals(allowFromValue)) {
if (!response.containsHeader(XFRAME_OPTIONS_HEADER)) {
response.setHeader(XFRAME_OPTIONS_HEADER, XFrameOptionsMode.DENY.getMode());
}
}
else if (allowFromValue != null) {
if (!response.containsHeader(XFRAME_OPTIONS_HEADER)) {
response.setHeader(XFRAME_OPTIONS_HEADER,
XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);
}
}
}
else {
response.setHeader(XFRAME_OPTIONS_HEADER, this.frameOptionsMode.getMode());
}
}
用于设置X-Frame-Options响应头。具体含义参考https://blog.csdn.net/u014704612/article/details/115633050。
浙公网安备 33010602011771号