安全开发:Spring Boot 打开 HttpOnly 和 Secure 属性
应用上线,需要修复安全问题,需要为 Cookie 设置 “HttpOnly” 和 “Secure” 属性。HttpOnly 设置方法配置默认值说明server.servlet.session.cookie.http-onlytrue是否对会话 cookie 使用 "HttpOnly"cookie。默认D:\learn\learn-java\spring-boot-high-concurrency&
〇、导语
应用上线,需要为 Cookie 设置 HttpOnly 和 Secure 属性以修复安全问题。
一、什么是 Cookie 的 HttpOnly、 Secure 属性,为什么要设置
根据Microsoft Developer Network,HttpOnly 是包含在 Set-Cookie HTTP 响应标头中的附加标志。可以防范 XSS攻击 1
Secure 属性是应用程序服务器在 HTTP 响应中向用户发送新 cookie 时可以设置的一个选项。安全属性的目的是防止 cookie 因明文传输 cookie 而被未授权方观察到。2
二、实践
2.1 HttpOnly 设置方法
| 配置 | 默认值 | 说明 |
|---|---|---|
server.servlet.session.cookie.http-only | true | 是否对会话 cookie 使用 "HttpOnly"cookie。 |
server.session.cookie.secure | false | 是否总是将会话 cookie 标记为安全。 |
- 默认
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=5F5E7204DB4806E498DBCEE16EE505BB; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:10:22 GMT
<
{"a":0}* Connection #0 to host localhost left intact
server.servlet.session.cookie.http-only=false
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=9C4848DB7F3ED02FE5D1B67D823A1338; Path=/
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:12:59 GMT
<
{"a":0}* Connection #0 to host localhost left intact
server.servlet.session.cookie.http-only=true
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=55167E90255588C69C8C8F790D0EB2AA; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:13:31 GMT
<
{"a":0}* Connection #0 to host localhost left intact
2.2 Secure 设置方法
| 配置 | 默认值 | 说明 |
|---|---|---|
server.session.cookie.secure | false | 是否总是将会话 cookie 标记为安全。 |
设置 Secure
In application.properties set the following property:
server.servlet.session.cookie.secure=true
… or in older versions (before ~2018):
server.session.cookie.secure=true
- 默认
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=4D2F08B1E76EC8A49C766343BCCB5287; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:25:04 GMT
<
{"a":0}* Connection #0 to host localhost left intact
server.servlet.session.cookie.secure=true
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=FA9734CC373FFEF7E56AB679D70CAF82; Path=/; Secure; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:25:18 GMT
<
{"a":0}* Connection #0 to host localhost left intact
server.servlet.session.cookie.secure=false
D:\learn\learn-java\spring-boot-high-concurrency>curl http://localhost:8080/stuff -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /stuff HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=BCE553C92FAA26406DB27DF5AB352645; Path=/; HttpOnly
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 07 Jun 2021 17:25:43 GMT
<
{"a":0}* Connection #0 to host localhost left intact
三、总结
| 配置 | 默认值 | 说明3 |
|---|---|---|
server.servlet.session.cookie.http-only | true | 是否对会话 cookie 使用 "HttpOnly"cookie。 |
server.session.cookie.secure | false | 是否总是将会话 cookie 标记为安全。 |
四、参考
OWASP HttpOnly
https://owasp.org/www-community/HttpOnly
OWASP HTTPOnly Flag Set
https://owasp.org/www-community/HttpOnly
OWASP Secure Flag set
https://owasp.org/www-community/controls/SecureCookieAttribute
how to set cookies as secure flag in spring boot
https://stackoverflow.com/questions/47989617/how-to-set-cookies-as-secure-flag-in-spring-boot ↩︎OWASP Secure Cookie Attribute
https://owasp.org/www-community/controls/SecureCookieAttribute
MDN: HTTP 响应头Set-Cookie属性
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Set-Cookie ↩︎Sping Boot 配置属性 Server properties
https://prop.springboot.io/#/11.Server ↩︎
为开发者提供学习成长、分享交流、生态实践、资源工具等服务,帮助开发者快速成长。
更多推荐
4
0- 0
已为社区贡献2条内容
所有评论(0)