http的请求头和响应头安全漏洞bug修改

一、背景环境

系统部署Windows环境，使用的是Tomcat，同时启动前后端一起的。

想不到吧！Win11当服务器，部署网站

二、安全扫描

三、可行性方案

四、终极方案

response.setHeader("X-Permitted-Cross-Domain-Policies", "master-only");
response.setHeader("X-Download-Options", "noopen");
response.setHeader("Referrer-Policy", "no-referrer-when-downgrade");
response.setHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains");
response.setHeader("X-Content-Type-Options", "nosniff");
response.setHeader("X-XSS-Protection", "1; mode=block");
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "*");
response.setHeader("Access-Control-Max-Age", "1728000");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
response.addHeader("X-Frame-Options","sameorigin");
response.addHeader("Content-Security-Policy","default-src *; script-src * 'unsafe-inline' 'unsafe-eval';style-src * 'unsafe-inline' 'unsafe-eval'; img-src * 'unsafe-inline'; font-src *; media-src *;object-src * ");

五、验证结果