0x00 background
HTTP XSS-Protection The response header is Internet
Explorer,Chrome and Safari Function of , When the page detects a reflected cross site script (XSS) When attacking , This page will prevent the page from loading .
Although when the site implements powerful Content-Security-Policy Forbidden to use JavaScript(“ Unsafe inline ”) Time .
These protections are largely unnecessary in modern browsers , But they can still be used for older versions that have not yet been used Web Users of the browser are protected support CSP.
0x01 Repair ideas
to configure XSS-Protection Response header value
X-XSS-Protection: 0 # Disable XSS filter .
X-XSS-Protection: 1 # Enable XSS filter ( It's usually the default setting in the browser ).
If cross site scripting attack is detected , The browser cleans up the page ( Remove unsafe parts ).
X-XSS-Protection: 1; mode=block # pattern = prevent
Enable XSS filter . If an attack is detected , The browser will not render the page , It does not clear the page .
X-XSS-Protection: 1; report=<reporting-uri>
1; report = <reporting-URI>( Support only Chrome browser ), Enable XSS filter .
If cross site scripting attack is detected , The browser cleans up the page and reports violations . This uses CSP report-uri Command to send a report .
0x02 Code repair
Recommended configuration :X-XSS-Protection: 1; mode=block
Nginx
add_header "X-XSS-Protection" "1; mode=block";
Apache (.htaccess)
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
PHP
header("X-XSS-Protection: 1; mode=block");
Technology
Daily Recommendation