From f475e0776e13ec94679e2f523230833730abbc3f Mon Sep 17 00:00:00 2001
From: jiang <BnsGit@123!>
Date: Sun, 24 Aug 2025 19:24:29 +0800
Subject: [PATCH] =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E4=BF=AE=E6=94=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../manager/common/config/SecurityConfig.java | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/main/java/com/bonus/gzgqj/manager/common/config/SecurityConfig.java b/src/main/java/com/bonus/gzgqj/manager/common/config/SecurityConfig.java
index a8f2421..aefd63f 100644
--- a/src/main/java/com/bonus/gzgqj/manager/common/config/SecurityConfig.java
+++ b/src/main/java/com/bonus/gzgqj/manager/common/config/SecurityConfig.java
@@ -14,6 +14,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
@@ -73,6 +74,29 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
     public BCryptPasswordEncoder bCryptPasswordEncoder(){
         return new BCryptPasswordEncoder();
     }
+
+
+    @Bean
+    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http
+                .headers(headers -> headers
+                        // 防 ClickJacking
+                        .frameOptions(frame -> frame.deny())
+                        // CSP 配置
+                        .contentSecurityPolicy(csp -> csp
+                                .policyDirectives("default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'none';")
+                        )
+                        // 其他安全头
+                        .xssProtection(xss -> xss.block(true))
+                        .contentTypeOptions(withDefaults -> {
+                        })
+                        .httpStrictTransportSecurity(hsts -> hsts
+                                .includeSubDomains(true)
+                                .maxAgeInSeconds(31536000) // 1年
+                        )
+                );
+        return http.build();
+    }
     /**
      * 注入自定义PermissionEvaluator
      */