前言：经常遇到网站被扫描有响应头缺失的漏洞,本问将介绍如何处理IIS、Apache、Nginx、Tomcat（java）下修复响应头缺失的漏洞方法,例如 X-Content-Type-Options响应头缺失、Referrer-Policy响应头缺失、X-XSS-Protection响应头缺失、X-Download-Options响应头缺失、Strict-Transport-Security响应头缺失、Content-Security-Policy响应头缺失、X-Permitted-Cross-Domain-Policies响应头缺失、X-Frame-Options未配置方法。相对大家有帮助。 解决方法： ### 1、IIS7及以上版本 ``` ``` ### 2、Apache 在conf配置文件或网站根目录下创建.htaccess，在其中添加以下规则：> #检测到目标X-Content-Type-Options响应头缺失 > Header set X-Content-Type-Options "nosniff" > #检测到目标X-XSS-Protection响应头缺失 > Header set X-XSS-Protection "1; mode=block" > #检测到目标Strict-Transport-Security响应头缺失 > Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;" > #检测到目标Referrer-Policy响应头缺失 > Header set Referrer-Policy: strict-origin-when-cross-origin > #检测到目标X-Permitted-Cross-Domain-Policies响应头缺失 > Header set X-Permitted-Cross-Domain-Policies "master-only" > #检测到目标X-Download-Options响应头缺失 > Header set X-Download-Options "noopen" > #点击劫持：X-Frame-Options未配置 > Header set X-Frame-Options "SAMEORIGIN" ### 3、Nginx > 在站点配置文件中添加如下规则。 > #检测到目标X-Content-Type-Options响应头缺失 > add_header 'Referrer-Policy' 'origin'; > #检测到错误页面web应用服务器版本信息泄露 > 修改404页面及500页面，不要出现apache、nginx等字样 > #检测到目标Referrer-Policy响应头缺失 > add_header 'Referrer-Policy' 'origin'; > #检测到目标X-XSS-Protection响应头缺失 > add_header X-Xss-header “1;mode=block”; > #检测到目标X-Download-Options响应头缺失 > add_header X-Download-Options "noopen" always; > #检测到目标Strict-Transport-Security响应头缺失 > add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; > #检测到目标Content-Security-Policy响应头缺失 > add_header X-Frame-Options SAMEORIGIN; > #检测到目标X-Permitted-Cross-Domain-Policies响应头缺失 > header("X-Permitted-Cross-Domain-Policies:'master-only';"); > #点击劫持：X-Frame-Options未配置 > add_header X-Frame-Options SAMEORIGIN; 范例： ``` location / { 。。。。 ## nginx代理配置 。。。。 # 相关安全漏洞响应头 # 检测到目标 X-Content-Type-Options响应头缺失 这个暂时不开启，不然部分banner无法使用 #add_header X-Content-Type-Options "nosniff"; # 检测到目标 X-XSS-Protection响应头缺失 add_header X-XSS-Protection "1; mode=block"; # 检测到目标 Content-Security-Policy响应头缺失 add_header Content-Security-Policy "default-src 'self' http: https://* data: blob: 'unsafe-eval' 'unsafe-inline';child-src 'none' " always; # 检测到目标 Referrer-Policy响应头缺失 add_header Referrer-Policy "no-referrer-when-downgrade" always; # 检测到目标 X-Permitted-Cross-Domain-Policies响应头缺失 add_header X-Permitted-Cross-Domain-Policies none; # 检测到目标 X-Download-Options响应头缺失 add_header X-Download-Options noopen; # 检测到目标 Strict-Transport-Security响应头缺失 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; } ``` ### 4、Tomcat 从java程序层面禁止响应头。 ``` /** * @author ZQQ * @version 1.0 * @date 2021/9/22 15:54 * @desc : */ @WebFilter(urlPatterns = "/*", filterName = "responseHeadFilter") public class ResponseHeadFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException, IOException { //增加响应头缺失代码 HttpServletRequest req=(HttpServletRequest)request; HttpServletResponse res=(HttpServletResponse)response; res.addHeader("X-Frame-Options","SAMEORIGIN"); res.addHeader("Referrer-Policy","origin"); res.addHeader("Content-Security-Policy","object-src 'self'"); res.addHeader("X-Permitted-Cross-Domain-Policies","master-only"); res.addHeader("X-Content-Type-Options","nosniff"); res.addHeader("X-XSS-Protection","1; mode=block"); res.addHeader("X-Download-Options","noopen"); res.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload"); //处理cookie问题 Cookie[] cookies = req.getCookies(); if (cookies != null) { for (Cookie cookie : cookies) { String value = cookie.getValue(); StringBuilder builder = new StringBuilder(); builder.append(cookie.getName()+"="+value+";"); builder.append("Secure;");//Cookie设置Secure标识 builder.append("HttpOnly;");//Cookie设置HttpOnly res.addHeader("Set-Cookie", builder.toString()); } } chain.doFilter(request, response); } @Override public void destroy() { } } ``` ### 5、PHP程序层面上禁止响应头 ``` header("X-Frame-Options:SAMEORIGIN;"); // X-Frame-Options 响应头缺失 header("Referer-Policy:origin;");//Referer-Policy 响应头缺失 header("Content-Security-Policy:frame-ancestors 'self';");//Content-Security-Policy 响应头缺失 header("X-Permitted-Cross-Domain-Policies:'master-only';");//X-Permitted-Cross-Domain-Policies 响应头缺失 header("X-XSS-Protection:1; mode=block;");//X-XSS-Protection 响应头缺失 header("X-Download-Options: SAMEORIGIN;");//X-Download-Options 响应头缺失 header("X-Content-Type-Options:nosniff;");//X-Content-Type-Options 响应头缺失 header("Strict-Transport-Security:max-age=31536000;");//Strict-Transport-Security 响应头缺失 ``` ### HTML前端解决办法： ``` ```