1234

backend/src/main/java/com/jiayue/ssi/config/TomcatCustomizer.java

@@ -0,0 +1,39 @@
+package com.jiayue.ssi.config;
+
+import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+*
+*
+* @author xsl
+* @since 2023/07/11
+*/
+@Configuration
+public class TomcatCustomizer{
+    @Bean
+    public ConfigurableServletWebServerFactory configurableServletWebServerFactory() {
+        TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
+        factory.addContextCustomizers(context -> {
+            SecurityConstraint securityConstraint = new SecurityConstraint();
+            securityConstraint.setUserConstraint("CONFIDENTIAL");
+            SecurityCollection collection = new SecurityCollection();
+            collection.addPattern("/*");
+            collection.addMethod("HEAD");
+            collection.addMethod("PUT");
+            collection.addMethod("DELETE");
+            collection.addMethod("OPTIONS");
+            collection.addMethod("TRACE");
+            collection.addMethod("COPY");
+            collection.addMethod("SEARCH");
+            collection.addMethod("PROPFIND");
+            securityConstraint.addCollection(collection);
+            context.addConstraint(securityConstraint);
+        });
+        return factory;
+    }
+}

backend/src/main/java/com/jiayue/ssi/filter/InterfaceLimitFilter.java

@@ -34,7 +34,11 @@ public class InterfaceLimitFilter extends OncePerRequestFilter {
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
         throws ServletException, IOException {
-        response.setHeader("Strict-Transport-Security", "max-age=31536; includeSubDomains");
+        response.setHeader("Strict-Transport-Security", "max-age=63072000;includeSubDomains;preload");
+        response.addHeader("Content-Security-Policy","object-src 'self'");
+        response.addHeader("X-Content-Type-Options","nosniff");
+        response.addHeader("X-XSS-Protection","1; mode=block");
+
         checkIp(request,response,filterChain);
     }
 

backend/src/main/resources/application.yml

@@ -5,7 +5,7 @@ server:
     key-store-type: PKCS12
     key-store-password: ENC(6daOBtvpihAkIU2Kh8iRK3KqYgI4E0/s)
     enabled-protocols: "TLSv1.2"
-    ciphers: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
+    ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384"
   tomcat:
     max-connections: 50
     max-threads: 30