描述
WebInspect has discovered a preflight response that is configured to be cached for a prolonged amount of time. The time a response is allowed to be cached is conveyed using an Access-Control-Max-Age response header and a value more than 30 minutes is considered to be prolonged. Cross-Origin Resource Sharing, commonly referred to as CORS, is a technology that allows a domain to define a policy for its resources to be accessed by a web page hosted on a different domain using cross domain XML HTTP Requests (XHR). Historically, the browser restricts cross domain XHR requests to abide by the same origin policy. At its basic form, the same origin policy sets the script execution scope to the resources available on the current domain and prohibits any communication to domains outside this scope. Therefore, execution and incorporation of remote methods and functions hosted on domains outside of the current domain are effectively prohibited. While CORS is supported on all major browsers, it also requires that the domain correctly defines the CORS policy in order to have its resources shared with another domain. These restrictions are managed by access policies typically included in specialized response headers, such as:
Access-Control-Allow-Origin
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Max-Age
The browser generates a preflight OPTIONS request whenever the cross domain request made by the web page is anything other than a simple HTTP request. A GET or POST HTTP request with no special headers or credentials is considered a simple request. A response for a preflight request exposes the server’s CORS policy via specialized headers mentioned above. After examining the required permissions, the browser makes the actual request that the web page initially performed. This extra preflight request adds overhead and hence the server can configure its preflight response to be cached.
解决方案
add_header Access-Control-Max-Age 1200;
例如:
server{
add_header Access-Control-Max-Age 1200;
}
解决思路
大体意思是
预检响应的长时间缓存可能会带来安全威胁,因为可以在服务器上更新策略,而浏览器仍将允许未经授权访问基于原始缓存策略的资源。允许缓存响应的时间使用 Access-Control-Max-Age 响应标头来传达,超过 30 分钟的值被认为是延长的。
那我们就设置为30分钟以内,目前设置为了20分钟也就是1200秒
参考
https://vulncat.fortify.com/en/detail?id=desc.dynamic.html.html5_cors_prolonged_caching_of_preflight_response
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Max-Age