对于《渗透测试报告》中提到的XSS跨站脚本通过研究发现可以在tomcat中增加相应的配置即可避免XSS攻击。整改方法如下:
打开tomcat/conf/web.xml,增加如下配置
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>false</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>