技术支持项目

漏洞描述:Content-Security-Policy"头缺失

解决方案：修改web.xml文件，添加如下所示，具体路径为domains\mydomain\config

   <filter>
    <filter-name>CspFilter</filter-name>
    <filter-class>com.apusic.ams.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>policy</param-name>
      <param-value>default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; object-src 'none'; frame-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; report-uri /csp-report</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CspFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

漏洞描述:X-Content-Type-Options”头缺失或不安全

解决方案：修改web.xml文件，添加如下所示，具体路径为domains\mydomain\config

   <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>com.apusic.ams.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
    
   <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
   </filter-mapping>