背景：

渗透测试结果为 不安全的HTTP方法 OPTIONS

---

描述

验证

curl -v -X OPTIONS http://localhost/xcall/token/refresh?_t=1689589608

---

解决方案（2选1）：

1.spring项目加上：

import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfig {

    @Bean
    public ConfigurableServletWebServerFactory configurableServletWebServerFactory() {
        TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
        factory.addContextCustomizers(context -> {
            SecurityConstraint securityConstraint = new SecurityConstraint();
            securityConstraint.setUserConstraint("CONFIDENTIAL");
            SecurityCollection collection = new SecurityCollection();
            collection.addPattern("/*");
            collection.addMethod("HEAD");
//            collection.addMethod("PUT");
//            collection.addMethod("DELETE");
            collection.addMethod("OPTIONS");
            collection.addMethod("TRACE");
            collection.addMethod("COPY");
            collection.addMethod("SEARCH");
            collection.addMethod("PROPFIND");
            securityConstraint.addCollection(collection);
            context.addConstraint(securityConstraint);
        });
        return factory;
    }

}

nginx配置

在 nginx.conf 配置文件中，增加如下内容：

		if ($request_method ~* OPTIONS) {
				return 403;
		}

别忘了重启nginx

/usr/local/nginx/sbin -s reload
 
 
systemctl restart nginx
 
 

测试修复结果

tomcat 返回

nginx返回