安全开发:Spring Boot 打开 HttpOnly 和 Secure 属性

60 篇文章 0 订阅
9 篇文章 0 订阅

〇、导语

应用上线,需要为 Cookie 设置 HttpOnlySecure 属性以修复安全问题。

一、什么是 Cookie 的 HttpOnlySecure 属性,为什么要设置

根据Microsoft Developer NetworkHttpOnly 是包含在 Set-Cookie HTTP 响应标头中的附加标志。可以防范 XSS攻击 1

Secure 属性是应用程序服务器在 HTTP 响应中向用户发送新 cookie 时可以设置的一个选项。安全属性的目的是防止 cookie 因明文传输 cookie 而被未授权方观察到。2

二、实践

2.1 HttpOnly 设置方法

配置默认值说明
server.servlet.session.cookie.http-onlytrue是否对会话 cookie 使用 "HttpOnly"cookie。
server.session.cookie.securefalse是否总是将会话 cookie 标记为安全。
  • 默认
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=5F5E7204DB4806E498DBCEE16EE505BB; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:10:22 GMT
<
{"a":0}* Connection #0 to host localhost left intact
  • server.servlet.session.cookie.http-only=false
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=9C4848DB7F3ED02FE5D1B67D823A1338; Path=/
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:12:59 GMT
<
{"a":0}* Connection #0 to host localhost left intact
  • server.servlet.session.cookie.http-only=true
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=55167E90255588C69C8C8F790D0EB2AA; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:13:31 GMT
<
{"a":0}* Connection #0 to host localhost left intact

2.2 Secure 设置方法

配置默认值说明
server.session.cookie.securefalse是否总是将会话 cookie 标记为安全。

设置 Secure

In application.properties set the following property:
server.servlet.session.cookie.secure=true
… or in older versions (before ~2018):
server.session.cookie.secure=true

  • 默认
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=4D2F08B1E76EC8A49C766343BCCB5287; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:25:04 GMT
<
{"a":0}* Connection #0 to host localhost left intact
  • server.servlet.session.cookie.secure=true
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=FA9734CC373FFEF7E56AB679D70CAF82; Path=/; Secure; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:25:18 GMT
<
{"a":0}* Connection #0 to host localhost left intact
  • server.servlet.session.cookie.secure=false
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=BCE553C92FAA26406DB27DF5AB352645; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:25:43 GMT
<
{"a":0}* Connection #0 to host localhost left intact

三、总结

配置默认值说明3
server.servlet.session.cookie.http-onlytrue是否对会话 cookie 使用 "HttpOnly"cookie。
server.session.cookie.securefalse是否总是将会话 cookie 标记为安全。

四、参考


  1. OWASP HttpOnly
    https://owasp.org/www-community/HttpOnly
    OWASP HTTPOnly Flag Set
    https://owasp.org/www-community/HttpOnly
    OWASP Secure Flag set
    https://owasp.org/www-community/controls/SecureCookieAttribute
    how to set cookies as secure flag in spring boot
    https://stackoverflow.com/questions/47989617/how-to-set-cookies-as-secure-flag-in-spring-boot ↩︎

  2. OWASP Secure Cookie Attribute
    https://owasp.org/www-community/controls/SecureCookieAttribute
    MDN: HTTP 响应头 Set-Cookie 属性
    https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Set-Cookie ↩︎

  3. Sping Boot 配置属性 Server properties
    https://prop.springboot.io/#/11.Server ↩︎

  • 2
    点赞
  • 1
    收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
©️2022 CSDN 皮肤主题:技术工厂 设计师:CSDN官方博客 返回首页
评论

打赏作者

邢永志

你的鼓励将是我创作的最大动力

¥2 ¥4 ¥6 ¥10 ¥20
输入1-500的整数
余额支付 (余额:-- )
扫码支付
扫码支付:¥2
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值