点击劫持漏洞修复(前端、后端)
点击劫持(Click Jacking)是一种视觉上的欺骗手段,攻击者通过使用一个透明的iframe,覆盖在一个网页上,然后诱使用户在该页面上进行操作,通过调整iframe页面的位置,可以使得伪造的页面恰好和iframe里受害页面里一些功能重合(按钮),以达到窃取用户信息或者劫持用户操作的目的。
前端
main.js中添加:
if(window.top !== window.self){ window.top.location = window.location;}
后端
添加过滤器:
@Component
public class AddResponseHeaderFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
FilterChain filterChain) throws ServletException, IOException {
System.out.println("=====X-Frame-Options, SAMEORIGIN=====");
String requestUrI = httpServletRequest.getRequestURI().toString();
//httpServletResponse.addHeader("x-frame-options","DENY"); // 拒绝任何域加载
httpServletResponse.addHeader("X-Frame-Options", "SAMEORIGIN");
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}