本文主要研究下spring cloud gateway的SecureHeadersGatewayFilter

GatewayAutoConfiguration

@Configuration
@ConditionalOnProperty(name = "spring.cloud.gateway.enabled", matchIfMissing = true)
@EnableConfigurationProperties
@AutoConfigureBefore(HttpHandlerAutoConfiguration.class)
@AutoConfigureAfter({GatewayLoadBalancerClientAutoConfiguration.class, GatewayClassPathWarningAutoConfiguration.class})
@ConditionalOnClass(DispatcherHandler.class)
public class GatewayAutoConfiguration {//......@Beanpublic SecureHeadersGatewayFilterFactory secureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {return new SecureHeadersGatewayFilterFactory(properties);}//......
}
复制代码

SecureHeadersProperties

配置项

    {"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'","name": "spring.cloud.gateway.filter.secure-headers.content-security-policy","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "nosniff","name": "spring.cloud.gateway.filter.secure-headers.content-type-options","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "noopen","name": "spring.cloud.gateway.filter.secure-headers.download-options","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "DENY","name": "spring.cloud.gateway.filter.secure-headers.frame-options","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "none","name": "spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "no-referrer","name": "spring.cloud.gateway.filter.secure-headers.referrer-policy","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "max-age=631138519","name": "spring.cloud.gateway.filter.secure-headers.strict-transport-security","type": "java.lang.String"},{"sourceType": "org.springframework.cloud.gateway.filter.factory.SecureHeadersProperties","defaultValue": "1 ; mode=block","name": "spring.cloud.gateway.filter.secure-headers.xss-protection-header","type": "java.lang.String"}
复制代码

实体类

spring-cloud-gateway-core-2.0.0.RC1-sources.jar!/org/springframework/cloud/gateway/filter/factory/SecureHeadersProperties.java

@ConfigurationProperties("spring.cloud.gateway.filter.secure-headers")
public class SecureHeadersProperties {public static final String X_XSS_PROTECTION_HEADER_DEFAULT = "1 ; mode=block";public static final String STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT = "max-age=631138519"; //; includeSubDomains preload")public static final String X_FRAME_OPTIONS_HEADER_DEFAULT = "DENY"; //SAMEORIGIN = ALLOW-FROMpublic static final String X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT = "nosniff";public static final String REFERRER_POLICY_HEADER_DEFAULT = "no-referrer"; //no-referrer-when-downgrade = origin = origin-when-cross-origin = same-origin = strict-origin = strict-origin-when-cross-origin = unsafe-urlpublic static final String CONTENT_SECURITY_POLICY_HEADER_DEFAULT = "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'";public static final String X_DOWNLOAD_OPTIONS_HEADER_DEFAULT = "noopen";public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT = "none";private String xssProtectionHeader = X_XSS_PROTECTION_HEADER_DEFAULT;private String strictTransportSecurity = STRICT_TRANSPORT_SECURITY_HEADER_DEFAULT;private String frameOptions = X_FRAME_OPTIONS_HEADER_DEFAULT;private String contentTypeOptions = X_CONTENT_TYPE_OPTIONS_HEADER_DEFAULT;private String referrerPolicy = REFERRER_POLICY_HEADER_DEFAULT;private String contentSecurityPolicy = CONTENT_SECURITY_POLICY_HEADER_DEFAULT;private String downloadOptions = X_DOWNLOAD_OPTIONS_HEADER_DEFAULT;private String permittedCrossDomainPolicies = X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER_DEFAULT;//......@Overridepublic String toString() {final StringBuffer sb = new StringBuffer("SecureHeadersProperties{");sb.append("xssProtectionHeader='").append(xssProtectionHeader).append('\'');sb.append(", strictTransportSecurity='").append(strictTransportSecurity).append('\'');sb.append(", frameOptions='").append(frameOptions).append('\'');sb.append(", contentTypeOptions='").append(contentTypeOptions).append('\'');sb.append(", referrerPolicy='").append(referrerPolicy).append('\'');sb.append(", contentSecurityPolicy='").append(contentSecurityPolicy).append('\'');sb.append(", downloadOptions='").append(downloadOptions).append('\'');sb.append(", permittedCrossDomainPolicies='").append(permittedCrossDomainPolicies).append('\'');sb.append('}');return sb.toString();}
}
复制代码

SecureHeadersGatewayFilterFactory

spring-cloud-gateway-core-2.0.0.RC1-sources.jar!/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactory.java

/*** https://blog.appcanary.com/2017/http-security-headers.html* @author Spencer Gibb*/
public class SecureHeadersGatewayFilterFactory extends AbstractGatewayFilterFactory {public static final String X_XSS_PROTECTION_HEADER = "X-Xss-Protection";public static final String STRICT_TRANSPORT_SECURITY_HEADER = "Strict-Transport-Security";public static final String X_FRAME_OPTIONS_HEADER = "X-Frame-Options";public static final String X_CONTENT_TYPE_OPTIONS_HEADER = "X-Content-Type-Options";public static final String REFERRER_POLICY_HEADER = "Referrer-Policy";public static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";public static final String X_DOWNLOAD_OPTIONS_HEADER = "X-Download-Options";public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER = "X-Permitted-Cross-Domain-Policies";private final SecureHeadersProperties properties;public SecureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {this.properties = properties;}@Overridepublic GatewayFilter apply(Object config) {//TODO: allow args to override propertiesreturn (exchange, chain) -> {HttpHeaders headers = exchange.getResponse().getHeaders();//TODO: allow header to be disabledheaders.add(X_XSS_PROTECTION_HEADER, properties.getXssProtectionHeader());headers.add(STRICT_TRANSPORT_SECURITY_HEADER, properties.getStrictTransportSecurity());headers.add(X_FRAME_OPTIONS_HEADER, properties.getFrameOptions());headers.add(X_CONTENT_TYPE_OPTIONS_HEADER, properties.getContentTypeOptions());headers.add(REFERRER_POLICY_HEADER, properties.getReferrerPolicy());headers.add(CONTENT_SECURITY_POLICY_HEADER, properties.getContentSecurityPolicy());headers.add(X_DOWNLOAD_OPTIONS_HEADER, properties.getDownloadOptions());headers.add(X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER, properties.getPermittedCrossDomainPolicies());return chain.filter(exchange);};}
}
复制代码

可以看到该filter往response的header添加一系列的security相关的header

小结

SecureHeadersGatewayFilter往response添加了如下header

  • X-Xss-Protection

spring.cloud.gateway.filter.secure-headers.xss-protection-header=1 ; mode=block

  • Strict-Transport-Security

spring.cloud.gateway.filter.secure-headers.strict-transport-security=max-age=631138519

  • X-Frame-Options

spring.cloud.gateway.filter.secure-headers.frame-options=DENY

  • X-Content-Type-Options

spring.cloud.gateway.filter.secure-headers.content-type-options=nosniff

  • Referrer-Policy

spring.cloud.gateway.filter.secure-headers.referrer-policy=no-referrer

  • Content-Security-Policy

spring.cloud.gateway.filter.secure-headers.content-security-policy=default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'

  • X-Download-Options

spring.cloud.gateway.filter.secure-headers.download-options=noopen

  • X-Permitted-Cross-Domain-Policies

spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies=none

doc

  • Everything you need to know about HTTP security headers
  • 112.14 SecureHeaders GatewayFilter Factory

聊聊spring cloud gateway的SecureHeadersGatewayFilter相关推荐

  1. 聊聊spring cloud gateway的GlobalFilter

    序 本文主要研究一下spring cloud gateway的GlobalFilter GatewayAutoConfiguration spring-cloud-gateway-core-2.0.0 ...

  2. 聊聊spring cloud gateway的PreserveHostHeaderGatewayFilter

    序 本文主要研究下spring cloud gateway的PreserveHostHeaderGatewayFilter GatewayAutoConfiguration spring-cloud- ...

  3. 聊聊spring cloud gateway的XForwardedHeadersFilter

    序 本文主要研究spring cloud gateway的XForwardedHeadersFilter GatewayAutoConfiguration spring-cloud-gateway-c ...

  4. 聊聊spring cloud gateway的SetStatusGatewayFilter

    序 本文主要研究下spring cloud gateway的SetStatusGatewayFilter GatewayAutoConfiguration spring-cloud-gateway-c ...

  5. 跟我学SpringCloud | 第十二篇:Spring Cloud Gateway初探

    SpringCloud系列教程 | 第十二篇:Spring Cloud Gateway初探 Springboot: 2.1.6.RELEASE SpringCloud: Greenwich.SR1 如 ...

  6. 实战 Spring Cloud Gateway 之限流篇

    来源:https://www.aneasystone.com/archives/2020/08/spring-cloud-gateway-current-limiting.html 话说在 Sprin ...

  7. 从架构演进的角度聊聊Spring Cloud都做了些什么?

    Spring Cloud作为一套微服务治理的框架,几乎考虑到了微服务治理的方方面面,之前也写过一些关于Spring Cloud文章,主要偏重各组件的使用,本次分享主要解答这两个问题:Spring Cl ...

  8. Spring Cloud Gateway 入门

    认识 Spring Cloud Gateway Spring Cloud Gateway 是一款基于 Spring 5,Project Reactor 以及 Spring Boot 2 构建的 API ...

  9. 网关Spring Cloud Gateway科普

    点击上方"朱小厮的博客",选择"设为星标" 后台回复"加群"获取公众号专属群聊入口 欢迎跳转到本文的原文链接:https://honeypp ...

最新文章

  1. 批处理中setlocal enabledelayedexpansion
  2. 程序员都和谁一起睡觉?
  3. netflix 工作原理_Netflix如何在屏幕后面工作?
  4. 细说HTTP中POST与GET的区别与联系
  5. oracle x kglob,x$kglob x$kgllk x$kglpn
  6. Silverlight的发布
  7. 复杂,软件的大敌![转]
  8. js识别用户设备是移动端手机时跳转到手机网站
  9. VMware vSphere 5.5的12个更新亮点(1)
  10. [PKUWC2018] Minimax
  11. 批量重命名文件夹和文件名bat脚本
  12. DNS劫持和DNS污染的区别
  13. 创业公司的抗争,共享单车的合并
  14. java listener 模式_Java和GUI-根据MVC模式,ActionListener属于哪里?
  15. html 对p中一段话指定样式,HTML5学习笔记(二)
  16. ESP32----NVS使用
  17. 数据分析——爬取股票数据
  18. 服装进销存软件哪个简单好用?
  19. 购买《哈利波特》书方案
  20. 自己打造的首款小程序——抖印小助手专业去短视频水印

热门文章

  1. matlab cfun,【图片】求求各位大佬帮弱鸡看看【matlab吧】_百度贴吧
  2. es查询语句拼接 java_JAVA使用ElasticSearch查询in和not in的实现方式
  3. python引入jit_从numba导入jit
  4. 查看linux内存存储空间不足,Linux 下判断Server 内存是否不足
  5. apply与applymap的区别
  6. atlas安装需要kafka吗_客厅吸顶灯安装方法你知道吗?安装需要注意什么
  7. 笔记-高项案例题-2016年下-整体管理
  8. 需求分析中应该注意的问题
  9. Android中DatePicker日期选择器的使用和获取选择的年月日
  10. DataGridView怎样实现添加、删除、上移、下移一行