X-XSS-Protection is just an HTTPD response header that instructs the browsers that respect the header to not make a request from the content of the page that appear to be an XSS attack.
Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
XSS really needs to be addressed at the point where content is created particularly if your concern is responding to security scan results. A Content Security Policy offers better protection, but that still won't get you passed a security scan where XSS vulnerabilities exist nor should it. Per the previous reply, "Defensive code" is the best solution.
Jim
On 7/19/2021 2:04 AM, Thejas Hl wrote:
hi ,thanks for your email,Is it possible the server is filtering xss attacks from browser to server request(with header= X-XSS-Protection: "1; mode=block" ), if that then kindly provide the steps for the same.
regardsThejas
On Fri, 16 Jul 2021 at 12:50, James Smith <js5@xxxxxxxxxxxx> wrote:
-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.You can add:
Header always set X-XSS-Protection "1; mode=block"
which will help – but the rest you need to look at the way you code your pages.
Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks
Remembering that XSS is often a vector for other attacks.
From: Thejas Hl <thejashl013@xxxxxxxxx>
Sent: 16 July 2021 06:31
To: users@xxxxxxxxxxxxxxxx
Subject: query regarding httpd server [EXT]
Hello team,
Is xss attack internally taken care by httpd apache server if yes kindly share the steps to activate for protection against such attack.
Thanks and regards
tej
|