0x00 background

HTTP XSS-Protection The response header is Internet
Explorer,Chrome and Safari Function of , When the page detects a reflected cross site script (XSS) When attacking , This page will prevent the page from loading .
Although when the site implements powerful Content-Security-Policy Forbidden to use JavaScript(“ Unsafe inline ”) Time .

These protections are largely unnecessary in modern browsers , But they can still be used for older versions that have not yet been used Web Users of the browser are protected support CSP.

0x01 Repair ideas

to configure XSS-Protection Response header value

X-XSS-Protection: 0 # Disable XSS filter .

X-XSS-Protection: 1 # Enable XSS filter ( It's usually the default setting in the browser ).
If cross site scripting attack is detected , The browser cleans up the page ( Remove unsafe parts ).

X-XSS-Protection: 1; mode=block # pattern = prevent

Enable XSS filter . If an attack is detected , The browser will not render the page , It does not clear the page .

X-XSS-Protection: 1; report=<reporting-uri>

1; report = <reporting-URI>( Support only Chrome browser ), Enable XSS filter .
If cross site scripting attack is detected , The browser cleans up the page and reports violations . This uses CSP report-uri Command to send a report .

0x02 Code repair

Recommended configuration :X-XSS-Protection: 1; mode=block

Nginx

add_header "X-XSS-Protection" "1; mode=block";

Apache (.htaccess)

<IfModule mod_headers.c>

  Header set X-XSS-Protection "1; mode=block"

</IfModule>

PHP

header("X-XSS-Protection: 1; mode=block");

Technology