序

本文主要研究下spring cloud gateway的SecureHeadersGatewayFilter

GatewayAutoConfiguration

@Configuration @ConditionalOnProperty(name = "spring.cloud.gateway.enabled", matchIfMissing = true) @EnableConfigurationProperties @AutoConfigureBefore(HttpHandlerAutoConfiguration.class) @AutoConfigureAfter({GatewayLoadBalancerClientAutoConfiguration.class, GatewayClassPathWarningAutoConfiguration.class}) @ConditionalOnClass(DispatcherHandler.class) public class GatewayAutoConfiguration {//......@Beanpublic SecureHeadersGatewayFilterFactory secureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {return new SecureHeadersGatewayFilterFactory(properties);}//...... } 復(fù)制代碼

SecureHeadersProperties

配置項

{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'","name": "spring.cloud.gateway.filter.secure-headers.content-security-policy","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "nosniff","name": "spring.cloud.gateway.filter.secure-headers.content-type-options","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "noopen","name": "spring.cloud.gateway.filter.secure-headers.download-options","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "DENY","name": "spring.cloud.gateway.filter.secure-headers.frame-options","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "none","name": "spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "no-referrer","name": "spring.cloud.gateway.filter.secure-headers.referrer-policy","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "max-age=631138519","name": "spring.cloud.gateway.filter.secure-headers.strict-transport-security","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "1 ; mode=block","name": "spring.cloud.gateway.filter.secure-headers.xss-protection-header","type": "java.lang.String"} 復(fù)制代碼

實體類

spring-cloud-gateway-core-2.0.0.RC1-sources.jar!/org/springframework/cloud/gateway/filter/factory/SecureHeadersProperties.java

@ConfigurationProperties("spring.cloud.gateway.filter.secure-headers") public class SecureHeadersProperties {public static final String X_XSS_PROTECTION_HEADER_DEFAULT = "1 ; mode=block";public static final String STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT = "max-age=631138519"; //; includeSubDomains preload")public static final String X_FRAME_OPTIONS_HEADER_DEFAULT = "DENY"; //SAMEORIGIN = ALLOW-FROMpublic static final String X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT = "nosniff";public static final String REFERRER_POLICY_HEADER_DEFAULT = "no-referrer"; //no-referrer-when-downgrade = origin = origin-when-cross-origin = same-origin = strict-origin = strict-origin-when-cross-origin = unsafe-urlpublic static final String CONTENT_SECURITY_POLICY_HEADER_DEFAULT = "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'";public static final String X_DOWNLOAD_OPTIONS_HEADER_DEFAULT = "noopen";public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT = "none";private String xssProtectionHeader = X_XSS_PROTECTION_HEADER_DEFAULT;private String strictTransportSecurity = STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT;private String frameOptions = X_FRAME_OPTIONS_HEADER_DEFAULT;private String contentTypeOptions = X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT;private String referrerPolicy = REFERRER_POLICY_HEADER_DEFAULT;private String contentSecurityPolicy = CONTENT_SECURITY_POLICY_HEADER_DEFAULT;private String downloadOptions = X_DOWNLOAD_OPTIONS_HEADER_DEFAULT;private String permittedCrossDomainPolicies = X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT;//......@Overridepublic String toString() {final StringBuffer sb = new StringBuffer("SecureHeadersProperties{");sb.append("xssProtectionHeader='").append(xssProtectionHeader).append('\'');sb.append(", strictTransportSecurity='").append(strictTransportSecurity).append('\'');sb.append(", frameOptions='").append(frameOptions).append('\'');sb.append(", contentTypeOptions='").append(contentTypeOptions).append('\'');sb.append(", referrerPolicy='").append(referrerPolicy).append('\'');sb.append(", contentSecurityPolicy='").append(contentSecurityPolicy).append('\'');sb.append(", downloadOptions='").append(downloadOptions).append('\'');sb.append(", permittedCrossDomainPolicies='").append(permittedCrossDomainPolicies).append('\'');sb.append('}');return sb.toString();} } 復(fù)制代碼

SecureHeadersGatewayFilterFactory

spring-cloud-gateway-core-2.0.0.RC1-sources.jar!/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactory.java

/*** https://blog.appcanary.com/2017/http-security-headers.html* @author Spencer Gibb*/ public class SecureHeadersGatewayFilterFactory extends AbstractGatewayFilterFactory {public static final String X_XSS_PROTECTION_HEADER = "X-Xss-Protection";public static final String STRICT_TRANSPORT_SECURITY_HEADER = "Strict-Transport-Security";public static final String X_FRAME_OPTIONS_HEADER = "X-Frame-Options";public static final String X_CONTENT_TYPE_OPTIONS_HEADER = "X-Content-Type-Options";public static final String REFERRER_POLICY_HEADER = "Referrer-Policy";public static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";public static final String X_DOWNLOAD_OPTIONS_HEADER = "X-Download-Options";public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER = "X-Permitted-Cross-Domain-Policies";private final SecureHeadersProperties properties;public SecureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {this.properties = properties;}@Overridepublic GatewayFilter apply(Object config) {//TODO: allow args to override propertiesreturn (exchange, chain) -> {HttpHeaders headers = exchange.getResponse().getHeaders();//TODO: allow header to be disabledheaders.add(X_XSS_PROTECTION_HEADER, properties.getXssProtectionHeader());headers.add(STRICT_TRANSPORT_SECURITY_HEADER, properties.getStrictTransportSecurity());headers.add(X_FRAME_OPTIONS_HEADER, properties.getFrameOptions());headers.add(X_CONTENT_TYPE_OPTIONS_HEADER, properties.getContentTypeOptions());headers.add(REFERRER_POLICY_HEADER, properties.getReferrerPolicy());headers.add(CONTENT_SECURITY_POLICY_HEADER, properties.getContentSecurityPolicy());headers.add(X_DOWNLOAD_OPTIONS_HEADER, properties.getDownloadOptions());headers.add(X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER, properties.getPermittedCrossDomainPolicies());return chain.filter(exchange);};} } 復(fù)制代碼

可以看到該filter往response的header添加一系列的security相關(guān)的header

小結(jié)

SecureHeadersGatewayFilter往response添加了如下header

• X-Xss-Protection

spring.cloud.gateway.filter.secure-headers.xss-protection-header=1 ; mode=block

• Strict-Transport-Security

spring.cloud.gateway.filter.secure-headers.strict-transport-security=max-age=631138519

• X-Frame-Options

spring.cloud.gateway.filter.secure-headers.frame-options=DENY

• X-Content-Type-Options

spring.cloud.gateway.filter.secure-headers.content-type-options=nosniff

• Referrer-Policy

spring.cloud.gateway.filter.secure-headers.referrer-policy=no-referrer

• Content-Security-Policy

spring.cloud.gateway.filter.secure-headers.content-security-policy=default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'

• X-Download-Options

spring.cloud.gateway.filter.secure-headers.download-options=noopen

• X-Permitted-Cross-Domain-Policies

spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies=none

doc

• Everything you need to know about HTTP security headers
• 112.14 SecureHeaders GatewayFilter Factory

總結(jié)

以上是生活随笔為你收集整理的聊聊spring cloud gateway的SecureHeadersGatewayFilter的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。