java - checkmarx 报告中缺少 HSTS header

Question

我正在使用 Checkmarx 分析我的项目，唯一剩下的中等严重性项目是 Missing_HSTS_Filter，目标名称是 HSTSFilter。在我的 web.xml 中，我有:

<filter>
    <filter-name>HSTSFilter</filter-name> <!-- checkmarx says problem is here -->
    <filter-class>c.h.i.c.web.security.HSTSFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HSTSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

HSTSFilter 类:

public class HSTSFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;
        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");
        chain.doFilter(req, resp);
    }
}

所以我尝试了其他方法，因为我使用的是 Tomcat 7，所以我尝试在 web.xml 中添加以下内容:

<filter> <!-- checkmarx now complains here -->
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31622400</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Checkmarx 仍然提示，说这次的目标名称是 StatementCollection。我不明白这是什么意思。

我错过了什么？

Answer 1

奇怪的事情。您确实使用了正确的配置。根据这个 Checkmarx 规则，我在某些扫描中发现了很多误报。无论如何，尝试将此行添加到过滤器配置中的 web.xml 中:

<init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
</init-param>

<init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
</init-param>