diff --git a/src/main/java/com/bonus/aqgqj/manager/common/config/SecurityConfig.java b/src/main/java/com/bonus/aqgqj/manager/common/config/SecurityConfig.java index 2d24778..bb95053 100644 --- a/src/main/java/com/bonus/aqgqj/manager/common/config/SecurityConfig.java +++ b/src/main/java/com/bonus/aqgqj/manager/common/config/SecurityConfig.java @@ -16,6 +16,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @@ -94,6 +95,28 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { auth.authenticationProvider(userAuthenticationProvider); } + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + // 防 ClickJacking + .frameOptions(frame -> frame.deny()) + // CSP 配置 + .contentSecurityPolicy(csp -> csp + .policyDirectives("default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'none';") + ) + // 其他安全头 + .xssProtection(xss -> xss.block(true)) + .contentTypeOptions(withDefaults -> { + }) + .httpStrictTransportSecurity(hsts -> hsts + .includeSubDomains(true) + .maxAgeInSeconds(31536000) // 1年 + ) + ); + return http.build(); + } + /** * 添加-App登录-用户名和密码登陆验证的过滤器 */