博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
聊聊spring cloud gateway的SecureHeadersGatewayFilter
阅读量:6356 次
发布时间:2019-06-23

本文共 8657 字,大约阅读时间需要 28 分钟。

  hot3.png

本文主要研究下spring cloud gateway的SecureHeadersGatewayFilter

GatewayAutoConfiguration

@Configuration@ConditionalOnProperty(name = "spring.cloud.gateway.enabled", matchIfMissing = true)@EnableConfigurationProperties@AutoConfigureBefore(HttpHandlerAutoConfiguration.class)@AutoConfigureAfter({GatewayLoadBalancerClientAutoConfiguration.class, GatewayClassPathWarningAutoConfiguration.class})@ConditionalOnClass(DispatcherHandler.class)public class GatewayAutoConfiguration {    //......    @Bean	public SecureHeadersGatewayFilterFactory secureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {		return new SecureHeadersGatewayFilterFactory(properties);	}    //......}

SecureHeadersProperties

配置项

{      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'",      "name": "spring.cloud.gateway.filter.secure-headers.content-security-policy",      "type": "java.lang.String"    },    {      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "nosniff",      "name": "spring.cloud.gateway.filter.secure-headers.content-type-options",      "type": "java.lang.String"    },    {      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "noopen",      "name": "spring.cloud.gateway.filter.secure-headers.download-options",      "type": "java.lang.String"    },    {      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "DENY",      "name": "spring.cloud.gateway.filter.secure-headers.frame-options",      "type": "java.lang.String"    },    {      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "none",      "name": "spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies",      "type": "java.lang.String"    },    {      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "no-referrer",      "name": "spring.cloud.gateway.filter.secure-headers.referrer-policy",      "type": "java.lang.String"    },    {      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "max-age=631138519",      "name": "spring.cloud.gateway.filter.secure-headers.strict-transport-security",      "type": "java.lang.String"    },    {      "sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties",      "defaultValue": "1 ; mode=block",      "name": "spring.cloud.gateway.filter.secure-headers.xss-protection-header",      "type": "java.lang.String"    }

实体类

spring-cloud-gateway-core-2.0.0.RC1-sources.jar!/org/springframework/cloud/gateway/filter/factory/SecureHeadersProperties.java

@ConfigurationProperties("spring.cloud.gateway.filter.secure-headers")public class SecureHeadersProperties {	public static final String X_XSS_PROTECTION_HEADER_DEFAULT = "1 ; mode=block";	public static final String STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT = "max-age=631138519"; //; includeSubDomains preload")	public static final String X_FRAME_OPTIONS_HEADER_DEFAULT = "DENY"; //SAMEORIGIN = ALLOW-FROM	public static final String X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT = "nosniff";	public static final String REFERRER_POLICY_HEADER_DEFAULT = "no-referrer"; //no-referrer-when-downgrade = origin = origin-when-cross-origin = same-origin = strict-origin = strict-origin-when-cross-origin = unsafe-url	public static final String CONTENT_SECURITY_POLICY_HEADER_DEFAULT = "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'";	public static final String X_DOWNLOAD_OPTIONS_HEADER_DEFAULT = "noopen";	public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT = "none";	private String xssProtectionHeader = X_XSS_PROTECTION_HEADER_DEFAULT;	private String strictTransportSecurity = STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT;	private String frameOptions = X_FRAME_OPTIONS_HEADER_DEFAULT;	private String contentTypeOptions = X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT;	private String referrerPolicy = REFERRER_POLICY_HEADER_DEFAULT;	private String contentSecurityPolicy = CONTENT_SECURITY_POLICY_HEADER_DEFAULT;	private String downloadOptions = X_DOWNLOAD_OPTIONS_HEADER_DEFAULT;	private String permittedCrossDomainPolicies = X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT;	//......	@Override	public String toString() {		final StringBuffer sb = new StringBuffer("SecureHeadersProperties{");		sb.append("xssProtectionHeader='").append(xssProtectionHeader).append('\'');		sb.append(", strictTransportSecurity='").append(strictTransportSecurity).append('\'');		sb.append(", frameOptions='").append(frameOptions).append('\'');		sb.append(", contentTypeOptions='").append(contentTypeOptions).append('\'');		sb.append(", referrerPolicy='").append(referrerPolicy).append('\'');		sb.append(", contentSecurityPolicy='").append(contentSecurityPolicy).append('\'');		sb.append(", downloadOptions='").append(downloadOptions).append('\'');		sb.append(", permittedCrossDomainPolicies='").append(permittedCrossDomainPolicies).append('\'');		sb.append('}');		return sb.toString();	}}

SecureHeadersGatewayFilterFactory

spring-cloud-gateway-core-2.0.0.RC1-sources.jar!/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactory.java

/** * https://blog.appcanary.com/2017/http-security-headers.html * @author Spencer Gibb */public class SecureHeadersGatewayFilterFactory extends AbstractGatewayFilterFactory {	public static final String X_XSS_PROTECTION_HEADER = "X-Xss-Protection";	public static final String STRICT_TRANSPORT_SECURITY_HEADER = "Strict-Transport-Security";	public static final String X_FRAME_OPTIONS_HEADER = "X-Frame-Options";	public static final String X_CONTENT_TYPE_OPTIONS_HEADER = "X-Content-Type-Options";	public static final String REFERRER_POLICY_HEADER = "Referrer-Policy";	public static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";	public static final String X_DOWNLOAD_OPTIONS_HEADER = "X-Download-Options";	public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER = "X-Permitted-Cross-Domain-Policies";	private final SecureHeadersProperties properties;	public SecureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {		this.properties = properties;	}	@Override	public GatewayFilter apply(Object config) {		//TODO: allow args to override properties		return (exchange, chain) -> {			HttpHeaders headers = exchange.getResponse().getHeaders();			//TODO: allow header to be disabled			headers.add(X_XSS_PROTECTION_HEADER, properties.getXssProtectionHeader());			headers.add(STRICT_TRANSPORT_SECURITY_HEADER, properties.getStrictTransportSecurity());			headers.add(X_FRAME_OPTIONS_HEADER, properties.getFrameOptions());			headers.add(X_CONTENT_TYPE_OPTIONS_HEADER, properties.getContentTypeOptions());			headers.add(REFERRER_POLICY_HEADER, properties.getReferrerPolicy());			headers.add(CONTENT_SECURITY_POLICY_HEADER, properties.getContentSecurityPolicy());			headers.add(X_DOWNLOAD_OPTIONS_HEADER, properties.getDownloadOptions());			headers.add(X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER, properties.getPermittedCrossDomainPolicies());			return chain.filter(exchange);		};	}}

可以看到该filter往response的header添加一系列的security相关的header

小结

SecureHeadersGatewayFilter往response添加了如下header

  • X-Xss-Protection

spring.cloud.gateway.filter.secure-headers.xss-protection-header=1 ; mode=block

  • Strict-Transport-Security

spring.cloud.gateway.filter.secure-headers.strict-transport-security=max-age=631138519

  • X-Frame-Options

spring.cloud.gateway.filter.secure-headers.frame-options=DENY

  • X-Content-Type-Options

spring.cloud.gateway.filter.secure-headers.content-type-options=nosniff

  • Referrer-Policy

spring.cloud.gateway.filter.secure-headers.referrer-policy=no-referrer

  • Content-Security-Policy

spring.cloud.gateway.filter.secure-headers.content-security-policy=default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'

  • X-Download-Options

spring.cloud.gateway.filter.secure-headers.download-options=noopen

  • X-Permitted-Cross-Domain-Policies

spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies=none

doc

转载于:https://my.oschina.net/go4it/blog/1824110

你可能感兴趣的文章
【转】python3 发邮件实例(包括:文本、html、图片、附件、SSL、群邮件)
查看>>
事务隔离级别(图文详解)
查看>>
canvas系列教程08-canvas各种坑
查看>>
浅析package.json中的devdependencies 和 dependencies
查看>>
又一个 iOS 侧边栏组件: SideMenu
查看>>
vue.js 打包遇到的问题
查看>>
【译】更优秀的GraphQL官方中文文档-客户端如何使用
查看>>
git pull遇到的问题
查看>>
eclipse下maven spring项目环境配置
查看>>
无缝轮播
查看>>
CTS失败项分析(2)android.telephony.cts.VisualVoicemailServiceTest#testFilter_data
查看>>
三分钟,轻松了解Dapp
查看>>
GMQ交易平台满足不同客户群体的多种投资需求
查看>>
大数据开发如何入门你必须知道这些
查看>>
关于js(es5)如何优雅地创建对象
查看>>
阿里云前端周刊 - 第 28 期
查看>>
iOS 主队列同步造成死锁的原因
查看>>
es6 下比较对象是否有修改的简要方法
查看>>
windows安装mysql
查看>>
你还在看《深入理解Java虚拟机》的运行时数据模型吗?
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-01-12 18:46:01   当前IP: 18.189.170.65   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我