Setting X-XSS-Protection to FIELD helps to prevent against common cross-site scripting (XSS) attacks by filtering and blocking suspected malicious scripts. For the first directive, 0 disables XSS protection on the client side and 1 enables XSS protection. mode = block prevents the browser from loading pages potentially compromised by XSS. The report directive can either be a path or a URL.
Optional for: HTTP/1.0 and HTTP/1.1
For more information about this directive, see OWASP, “Cross Site Scripting Prevention Cheat Sheet.”
See how Web Application Headers is assessed and finding messages.
- September 12, 2023: Separated finding messages.
- February 14, 2022: Linked to the OWASP cheat sheet.
- August 31, 2018: Published.
Feedback
0 comments
Please sign in to leave a comment.