Web 应用响应 header 重复
[英]Web application response header duplication
问题描述
I am working on the security enhancements of my application based on a security scan report.
我正在根据安全扫描报告对我的应用程序进行安全增强。 My application is a java EE web application running in wildfly.我的应用程序是在 Wildfly 中运行的 java EE web 应用程序。 And it is exposed to the users through a reverse proxy server which is Apache.它通过反向代理服务器Apache暴露给用户。
I did the following changes in the standalone.xml file in Wildfly to enable strict transport security and httponly attributes.我在 Wildfly 中的standalone.xml 文件中进行了以下更改,以启用严格的传输安全性和 httponly 属性。
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="x-frame-options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="x-content-type-options"/>
<filter-ref name="transport-security"/>
</host>
</server>
<servlet-container name="default">
<jsp-config x-powered-by="false"/>
<session-cookie http-only="true" secure="true"/>
<websockets/>
</servlet-container>
However, when I go to the application page and check the response in the network tab, I see duplicate attributes.但是,当我 go 到应用程序页面并检查网络选项卡中的响应时,我看到了重复的属性。
Request Method: GET
Status Code: 200 OK
Referrer Policy: strict-origin-when-cross-origin
Connection: Keep-Alive
Content-Length: 4222
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 08 Jan 2021 02:36:52 GMT
Keep-Alive: timeout=5, max=99
Server: Apache
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f; Path=/MyApplication; HttpOnly
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f.application_uat; path=/MyApplication; secure; HttpOnly
Strict-Transport-Security: max-age=63072000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
Also, in one, JSESSIONID is secure and in the other one its not secure.此外,一方面,JSESSIONID 是安全的,另一方面是不安全的。 I am not handling the configuration of Apache server.我没有处理 Apache 服务器的配置。 Could it be because of some configuration of the Apache server?可能是因为 Apache 服务器的某些配置? I am quite new to this so appreciate some help to figure this out.我对此很陌生,所以感谢一些帮助来解决这个问题。
Thank you.谢谢你。
1 个解决方案
解决方案1
0 2021-01-13 20:29:00
If you have access to the application's source code, check to see if it has a custom cookie handler developed in-house.如果您有权访问应用程序的源代码,请检查它是否具有内部开发的自定义 cookie 处理程序。
Could be something as stupid as a piece of code that appends some text instead of overwriting it somewhere.可能像一段代码一样愚蠢,它附加一些文本而不是在某处覆盖它。
evidence suggests this:证据表明:
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f; Path=/MyApplication; HttpOnly
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f.application_uat; path=/MyApplication; secure; HttpOnl
Effectively identical lines, with extra information added somewhere.实际上相同的行,在某处添加了额外的信息。 suggests a handler that changes something along the way.建议一个处理程序在此过程中改变一些东西。
same goes for同样适用
Strict-Transport-Security: max-age=63072000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
which is kind of weird.这有点奇怪。
at any rate... it looks like something's dealing with 2 requests and modifying the same throughput... badly.无论如何......看起来有些东西正在处理2个请求并修改相同的吞吐量......很糟糕。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.