host头部攻击解决方案

2023-10-24 14:48:46

方法一:过滤器

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest req=(HttpServletRequest) request;
		// http host头攻击漏洞校验
		HttpServletResponse res = (HttpServletResponse) response;
        String requestHost = req.getHeader("host");
        if (requestHost != null && isRightHost(requestHost)){
            res.setStatus(403);
            return;
        }
		chain.doFilter(request, response);
	}
	// http host头漏洞攻击判断
	public boolean isRightHost(String requestHost){
		if(requestHost.indexOf("www.xxx.com") == -1 && requestHost.indexOf("服务器IP") == -1) {
			return true;
		}
        return false;
    }

  方法二:nginx

if ($http_Host != '域名或ip:端口'){
return 403;
}

if ($http_Host !~*^域名或ip:端口$) {
 return 403;这里可以自定义界面 参考

}

  方法三:tomcat

Tomcat,修改server.xml文件,配置Host的name属性。

将Host里的name修改为静态的域名,如下:

host头部攻击解决方案

 

上一篇:一些基本错误


下一篇:AngularJS项目报错#Failed to load resource: the server responded with a status of 403 (Forbidden)