X-XSS-Protection is just an HTTPD response header that instructs the
browsers that respect the header to not make a request from the content
of the page that appear to be an XSS attack.
Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
XSS really needs to be addressed at the point where content is created
particularly if your concern is responding to security scan results. A
Content Security Policy offers better protection, but that still won't
get you passed a security scan where XSS vulnerabilities exist nor
should it. Per the previous reply, "Defensive code" is the best solution.
Jim
On 7/19/2021 2:04 AM, Thejas Hl wrote:
hi ,
thanks for your email,
Is it possible the server is filtering xss attacks
from browser to server request(with header= X-XSS-Protection: "1;
mode=block" ), if that then kindly provide the steps for the same.
regards
Thejas
On Fri, 16 Jul 2021 at 12:50, James Smith <j...@sanger.ac.uk
<mailto:j...@sanger.ac.uk>> wrote:
You can add:
Header always set X-XSS-Protection "1; mode=block"
which will help – but the rest you need to look at the way you
code your pages.
Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks
Remembering that XSS is often a vector for other attacks.
*From:*Thejas Hl <thejashl...@gmail.com
<mailto:thejashl...@gmail.com>>
*Sent:* 16 July 2021 06:31
*To:* users@httpd.apache.org <mailto:users@httpd.apache.org>
*Subject:* [users@httpd] query regarding httpd server [EXT]
Hello team,
Is xss attack internally taken care by httpd apache
server if yes kindly share the steps to activate for protection
against such attack.
Thanks and regards
tej
-- The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose
registered office is 215 Euston Road, London, NW1 2BE.
