文章目录0、导语一、Cookie的` HttpOnly `、` Secure `属性是什么? 为什么设定二、实践2.1 HttpOnly设定方法2.2 Secure设定方法三、总结四、参考
、领先
要应用联机,必须设置Cookie的HttpOnly和Secure属性来修复安全问题。
一、Cookie的HttpOnly,什么是安全属性? 为什么要基于Microsoft开发人员网络进行设置? HttpOnly是设置套接字http响应标头中的附加标志。 可以防止XSS攻击1
当APP应用服务器通过HTTP响应向用户发送新cookie时,可以设置Secure属性。 安全属性的目的是防止未经授权的人因以明文形式发送cookie而观察到cookie。 2
二、实践2.1 HttpOnly的设置方法设置默认值。 说明server.servlet.session.cookie.http-only true是否在会话cookie中使用' HttpOnly'cookie。 server.session.cookie.secure false是否始终将会话cookie标记为安全? 默认D:learnlearn-java spring-boot-high-concurrency curl http://localhost :8080/stuff-v * trying 336033601 . * TCP _ nodelay set * conconecttt 1.1 host : localhost 33608080用户代理: curl/7.55.1 accept : */* http/1.1。 Path=/; htponlycontent-type : application/JSON transfer-encoding : chunked date : mon, 07 jun 202117336010:22 GMT { ' a ' :0 } * connection #0tohostlocalhostleftintactserver.servlet.session.cookie.hon spring-boot-high-concurrency curl http://localhost :8080/stuff-v * trying 336033601 . * TCP _ nodelay set * conconecttt 1.1 host : localhost 33608080用户代理: curl/7.55.1 accept : */* http/1.1。 path=/content-type : application/JSON transfer-encoding : chunked date : mon,07 jun 20211733601236059 GMT { ' a } 0 tohostlocalhostleftintactserver.servlet.session.cookie.hokie learn-Java spring-boot-high-concurrency curl http://localhost :8080/stuff-v * trying 336033601 . * TCP _ nodelay set * conconecttt 1.1 host : localhost 33608080用户代理: curl/7.55.1 accept : */* http/1.1。 Path=/; htponlycontent-type : application/JSON transfer-encoding : chunked date : mon, 07 jun 202117:1336031 GMT { ' a ' :0 } * connection #0tohostlocalhostleftintact 2.2 secure设置方法的默认值说明server.session.con
in application.propertiessetthefollowingproperty :
server.servlet.session.cookie.secure=true
…orinolderversions(Before~2018 ) :
server.session.cookie.secure=true
默认D:learnlearn-java spring-boot-high-concurrency curl http://localhost :8080/stuff-v * trying 336033601 . * TCP _ nodelay set * conconecttt 1.1 host : localhost 33608080用户代理: curl/7.55.1 accept : */* http/1.1。 Path=/; htponlycontent-type : application/JSON transfer-encoding : chunked date : mon, 07 jun 202117336025:04 GMT { ' a ' :0 } * connection #0tohostlocalhostleftintactserver.servlet.session.cookie . spring-boot-high-concurrency curl http://localhost :8080/stuff-v * trying 336033601 . * TCP _ nodelay set * conconecttt 1.1 host : localhost 33608080用户代理: curl/7.55.1 accept : */* http/1.1。 Path=/; 安全; htponlycontent-type : application/JSON transfer-encoding : chunked date : mon, 07 jun 202117336025336018 GMT { ' a ' :0 } * connection #0tohostlocalhostleftintactserver.servlet.session.cookie . spring-boot-high-concurrency curl http://localhost :8080/stuff-v * trying 336033601 . * TCP _ nodelay set * conconecttt 1.1 host : localhost 33608080用户代理: curl/7.55.1 accept : */* http/1.1。 Path=/; htponlycontent-type : application/JSON transfer-encoding : chunked date : mon, 07 jun 202117336025336043 GMT { ' a ' :0 } * connection #0tohostlocalhostleftintact三、配置默认值摘要说明3 server.servlet.sesests 四.参考OWASP HttpOnly
33559 owasp.org/www-community/http only
owasp http only标志集
33559 owasp.org/www-community/http only
owasp安全标志集
33559 owasp.org/www-community/controls/securecookieattribute
howtosetcookiesassecureflaginspringboot
3359堆栈覆盖.com/questions/47989617/how-to-set-cookies-as-secure-flag-in-spring-boot
owasp安全套接字属性
33559 owasp.org/www-community/controls/securecookieattribute
MDN: HTTP响应标头Set-Cookie属性
3359 developer.Mozilla.org/zh-cn/docs/web/http/headers/set-cookie
Sping Boot配置属性Server properties
3359 prop.spring boot.io/#/11.server