描述
The web application does not utilize HTTP only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of a successful Cross-Site scripting attack by not allowing cookies with the HTTP only attribute to be accessed via client-side scripts. Recommendations include adopting a development policy that includes the utilization of HTTP only cookies, and performing other actions such as ensuring proper filtration of user-supplied data, utilizing client-side validation of user supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.
解决方案
nginx
在http下添加 HttpOnly是重点!
add_header Set-Cookie “Path=/; HttpOnly; Secure”;
例如:
http{
add_header Set-Cookie "Path=/; HttpOnly; Secure";
}
shiro
在bean的name为sessionIdCookie和rememberMeCookie下增加
cookie.setSecure(true);
例如:
@Bean(name = "sessionIdCookie")
public SimpleCookie getSessionIdCookie() {
SimpleCookie cookie = new SimpleCookie("sid");
cookie.setHttpOnly(true);
cookie.setSecure(true);
return cookie;
}
@Bean(name = "rememberMeCookie")
public SimpleCookie getRememberMeCookie() {
SimpleCookie cookie = new SimpleCookie("rememberMe");
cookie.setHttpOnly(true);
cookie.setSecure(true);
return simpleCookie;
}
参考
https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.cookie_security_httponly_not_set_on_session_cookie
https://blog.miniasp.com/post/2009/11/26/Using-HttpOnly-flag-to-avoid-XSS-attack
|