HTTP headers | X-XSS-Protection
HTTP headers are used to pass additional information with HTTP response or HTTP requests. The X-XSS-Protection in HTTP header is a feature that stops a page from loading when it detects XSS attacks. This feature is becoming unnecessary with increasing content-security-policy of sites.
XSS attacks: The XSS stands for Cross-site Scripting. In this attack, the procedure is to bypass the Same-origin policy into vulnerable web applications. When the HTML code generated dynamically and the user input is not sanitized only then the attacker can use this attack. In this attack, an attacker can insert his own HTML code into the webpage which will be not detected by the browsers. For his own HTML code attacker can easily gain access to the database and the cookies. To stop this kind of attacks X-XSS Protection was used in previous days.
Type of XSS Attack: Cross site scripting attacks are broadly classified into two categories.
- Server XSS: In this type of attack hacker attaches untrusted data with the HTML response. In this case, vulnerability is present at the server end and the browser just runs the script present in the response.
Directives: In this headers filed there are four directives:
- 0: It disables the X-XSS-Protection.
- 1: It is the by default directive and enables the X-XSS-Protection.
- 1; mode=block: It enables the X-XSS-Protection. If the browser detects an attack, it will not render the page.
- 1; report=<reporting-URI>: It enables the X-XSS-Protection. If the Cross-site Scripting attack detected then the page will be sanitizes and reported by report-uri directive.
Example 1: Block pages from loading when they detect reflected Cross-site Scripting attacks:
// It enable the protection
X-XSS-Protection: 1; mode=block
// It disable the protection
Example 2: This will work on an apache server.
Header set X-XSS-Protection "1; mode=block"
Example 3: This will work on Nginx server.
add_header "X-XSS-Protection" "1; mode=block";
Supported Browsers: The browsers supported by HTTP headers X-XSS-Protection are listed below:
- Google Chrome
- Internet Explorer