1. [11367]Insecure Transport: Insufficient HSTS Expiration Time

1.1 在tomcat的配置文件web.xml中开启HttpHeaderSecurityFilter,设置hstsEnabled和hstsMaxAgeSeconds参数的值

 <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
          <param-name>hstsEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

2. [11307,11308]Web Server Misconfiguration: Insecure Content-Type Setting

2.1 在后台代码中设置response的ContentType

response.setContentType("application/json;charset=utf-8");

3. [11306]Cache Management: Insecure Policy

3.1 在tomcat的配置文件web.xml中开启ExpiresFilter

    <filter>
       <filter-name>ExpiresFilter</filter-name>
       <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
       <init-param>
          <param-name>ExpiresByType image</param-name>
          <param-value>access plus 30 minutes</param-value>
       </init-param>
       <init-param>
          <param-name>ExpiresByType text/css</param-name>
          <param-value>access plus 30 minutes</param-value>
       </init-param>
       <init-param>
          <param-name>ExpiresByType application/javascript</param-name>
          <param-value>access plus 30 minutes</param-value>
       </init-param>
    </filter>
    <filter-mapping>
         <filter-name>ExpiresFilter</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

4. [10543]Cookie Security: HTTPOnly not Set;Cookie not Sent Over SSL

4.1 在tomcat的web.xml文件中增加cookie-config的secure属性

<session-config>
        <session-timeout>30</session-timeout>
        <cookie-config>
                <secure>true</secure>
        </cookie-config>
</session-config>

4.2 在tomcat的context.xml文件中设置useHttpOnly="true"(该步骤可以省，因为useHttpOnly的默认值为true)

<Context useHttpOnly="true">

4.3 在后端代码中设置cookie的secure和httpOnly属性

Cookie cookie = new Cookie("cloud_session_id", "cloud_cookie_132131");
cookie.setMaxAge(-1);
cookie.setPath("/");
if (request.isSecure()) { //安全协议
    cookie.setSecure(true);
}
cookie.setHttpOnly(true);
response.addCookie(cookie);

5. [11516]Insecure Transport: Weak SSL Protocol

5.1 升级通信协议到TLSv1.2

6. [11501]HTTP Verb Tampering

6.1 在tomcat的web.xml文件中增加安全约束

  <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>PATCH</http-method>
        </web-resource-collection>
        <auth-constraint></auth-constraint>
  </security-constraint>

7. [11380,4725]Often Misused: Weak SSL Certificate; SSL Certificate Hostname Discrepancy

7.1 更新证书为CA机构的合格证书

8. [11294] Cross-Frame Scripting

8.1 在tomcat的配置文件web.xml中开启HttpHeaderSecurityFilter,设置antiClickJackingEnabled和antiClickJackingOption参数的值

 <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
          <param-name>hstsEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

9. [10963]Cross-Site Request Forgery

9.1 后台生成csrfToken，前端每次发送ajax请求都带上该token验证

10. [10241]Flash Misconfiguration: Overly Permissive Cross-Domain Policy

10.1 设置domain="127.0.0.1"

11. [4728]Cookie Security: Persistent Cookie

11.1 创建cookie时，指定maxAge=-1，表示不持久化

Cookie cookie = new Cookie("cloud_session_id", "cloud_cookie_132131");
cookie.setMaxAge(-1);//cookie只保存在内存中