一、问题描述
平时我们项目中基本上用的都是GET/POST请求方法,其他的方法是很少用到的,如PUT/DELETE/HEAD/OPTIONS/TRACE,不关闭这些HTTP请求方法,是常见的web漏洞之一。
二、解决办法
把他们关闭即可!!!
添加以下节点代码到web.xml配置文件当中。可以在项目WEB-INF/web.xml中添加,也可以在tomcat/conf/web.xml中添加
-
<!-- close insecure http methods -->
-
<security-constraint>
-
<web-resource-collection>
-
<web-resource-name>fortune</web-resource-name>
-
<url-pattern>/*</url-pattern>
-
<http-method>PUT</http-method>
-
<http-method>DELETE</http-method>
-
<http-method>HEAD</http-method>
-
<http-method>OPTIONS</http-method>
-
<http-method>TRACE</http-method>
-
</web-resource-collection>
-
<auth-constraint></auth-constraint>
-
</security-constraint>