How to set the Http X-XSS-Protection header

Question

How to set the Http X-XSS-Protection header

I tried to do this:

<meta http-equiv="X-XSS-Protection" content="0">

in the <head> , but no luck. I'm trying to get rid of annoying IE preventing cross site scirpting

+27

internet-explorer http-headers xss

Aly Jan 08 '11 at 18:20

source share

6 answers

If you use .Net MVC, you can configure it through customHeaders in Web.Config.

To add these headers, go to the httpprotocol node and add these headers inside the customHeaders node.

 <httpprotocol> <customheaders> <remove name="X-Powered-By"> <add name="X-XSS-Protection" value="1; mode=block"></add> </remove> </customheaders> </httpprotocol>

I highly recommend this link, which explains how you can configure IIS protected headers in ASP.NET MVC: http://insiderattack.blogspot.com/2014/04/configuring-secure-iis-response-headers.html

+11

Equiman Oct. 16 '14 at 15:09

source share

In some cases, if you use .htaccess, you need to use double quotes:

Header set x-xss-protection "1; mode=block"

+2

gbm Jul 17 '13 at 13:26

source share

In ASP Classic this tag will do this:

 <% Response.AddHeader "X-XSS-Protection", "1" %>

+2

Hernaldo Gonzalez Jul 28 '15 at 14:43

source share

In Apache you need to edit the configuration file, this file can be:

file / etc / apache 2 / apache2.conf

/etc/apache2/httpd.conf

In the file, you can add these lines at the end to enable HTTP Header XSS Protection:

 <IfModule mod_headers.c> Header set X-XSS-Protection: "1; mode=block" </IfModule>

Note: if mod_headers is external to the main Apache core (not compiled into Apache), you should use .so and not .c - i.e. <IfModule mod_headers.so>

After that, save the changes and restart apache with:

sudo service apache2 restart

or

sudo service httpd restart

Hope this helps! :)

+1

galoget Aug 22 '14 at 6:08

source share

 # Turn on IE8-IE9 XSS prevention tools Header set X-XSS-Protection "1; mode=block"

This header is exclusive to Internet Explorer 8 and 9, it includes cross-site scripting protection in IE 8 and IE 9, which is disabled by default, as this may potentially violate some websites. To enable the XSS filter, use the X-XSS-Protection header "1; mode = block". If you want this filter not to be enabled for your website, set the value of the headers to "0";

http://stopmalvertising.com/security/securing-your-website-with-.htaccess/.htaccess-http-headers.html

0

Won Jun Bae Oct 21 '15 at 18:20

source share

chao · Accepted Answer · 2011-01-08 18:51

I doubt it will be just a meta tag. You may need to tell your web server that it is sending it as a real header.

In PHP you would do it like

 header("X-XSS-Protection: 0");

In ASP.net:

 Response.AppendHeader("X-XSS-Protection","0")

In the Apache configuration:

 Header set X-XSS-Protection 0

IIS has a property section for additional headers. It already has X-Powered-By: ASP.NET installed; you would simply add “X-XSS-Protection: 0” to the same location.

How to set the Http X-XSS-Protection header

More articles: