Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to set Http header X-XSS-Protection

I have tried to put this:

   <meta http-equiv="X-XSS-Protection" content="0"> 

in the <head> tag but have had no luck. I am trying to get rid of pesky IE preventing cross-site scirpting

like image 275
Aly Avatar asked Jan 08 '11 18:01

Aly


People also ask

What is the X-XSS-protection header set to?

The X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.

Which HTTP header prevent XSS?

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

What does X-XSS-protection 0 mean?

0: It disables the X-XSS-Protection. 1: It is the by default directive and enables the X-XSS-Protection. 1; mode=block: It enables the X-XSS-Protection. If the browser detects an attack, it will not render the page.

Do the HttpOnly cookie and X-XSS-protection header mitigate cross-site scripting attacks?

HttpOnly cookies do not prevent cross-site scripting (XSS) attacks, but they do lessen the impact and prevent the need to sign out users after the XSS is patched.


1 Answers

I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.

In PHP, you'd do it like

header("X-XSS-Protection: 0"); 

In ASP.net:

Response.AppendHeader("X-XSS-Protection","0") 

In Apache's config:

Header set  X-XSS-Protection  0 

In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.

like image 98
cHao Avatar answered Sep 22 '22 14:09

cHao