我正在使用Spring Boot和Spring Rest应用程序。安全测试已报告问题
“ Web应用程序或服务使用HTTP响应标头Access-Control-Allow-Origin向Web客户端通知允许的域。标头可以包含'*'表示允许所有域。”
修复-
仅在需要跨域访问的选定URL上使用Access-Control-Allow-Origin标头。不要在整个域中使用标题。
[在发出HTTP请求时,他们先使用origin: null
,然后使用Access-Control-Allow-Origin: *
我该如何实现?
在您的项目中使用它,我认为它将解决您的问题,
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class Filter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "authorization, content-type, xsrf-token, token");
response.addHeader("Access-Control-Expose-Headers", "xsrf-token");
if ("OPTIONS".equals(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
filterChain.doFilter(request, response);
}
}
}