Product
Features Why Beagle Security? API Security Testing DevSecOps Cosmog: Private Tunnel WordPress Security Testing OWASP Security Testing Free Security Testing
Solutions
Pricing
NewFree tools
Website Security Assessment SSL Certificate Checker Domain Expiry Checker
Resources
Blog Developer Docs Help Center Guides Whitepapers Vulnerability Index Partners
Blog Home
05 Jun 2018

X-XSS-Protection header disabled

05 Jun 2018
OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 OWASP PC-C1 CWE-16 HIPAA-164.308(a) ISO27001-A.14.2.5 WASC-15

The X-XSS-Protection response header is one of the major features of most of the web browsers to stop cross-site scripting. It stops the pages from loading when they detect reflected cross-site scripting attacks. It is found that the X XSS Protection header is disabled in the application. This application is at risk due to its vulnerability to Cross-site Scripting attacks.The X-XSS-Protection header is designed to enable the cross-site scripting filter built into modern web browsers.

    X-XSS-Protection: 0                              # Disable XSS filtering
    X-XSS-Protection: 1                              # Enables filtering. If cross site scripting detected - the browser will sanitise
    X-XSS-Protection: 1; mode=block                  # Under this mode, when cross site scripting detected - the browser wont render the page
    X-XSS-Protection: 1; report=<reporting-uri>        # Enables filtering, when detected - the browser will sanitise and report the violation

Example

    X-XSS-Protection: 1; mode=block

Impact

The major impact for this violation is cross-scripting attacks.

Mitigation / Precaution

The only mitigation is to enable the X-XSS-Protection and set the value to 1.

PHP

    header("X-XSS-Protection: 1; mode=block");

Apache (.htaccess)

    <IfModule mod_headers.c>
      Header set X-XSS-Protection "1; mode=block"
    </IfModule>

Nginx

    add_header "X-XSS-Protection" "1; mode=block";




Latest Articles

Zero-Day Vulnerabilities in Web Applications
July 18 2022
How DevSecOps is a Key Enabler for Digital Transformation
July 10 2022
Beagle Security named a Leader in G2 Summer 2022 Reports
June 28 2022
8 Login Tips to Stay Safe Online
June 16 2022
Spring4Shell Vulnerability: Analysis and Mitigation
June 8 2022

Explore morearrow



Popular in Injection

Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
SQL injection(SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018
Error based SQL Injection (SQLi)
July 4 2018

Explore morearrow

Categories

Client Side URL Redirect HSTS Cookies Attributes IBM SQL injection injection Time Based Blind SQL Injection SSL Injection CRLF Content Security Policy CSRF CORS Information Leakage status code SRI metadata X-XSS-Protection owasp Clickjacking XSS Cookies Directory traversal DOM XSS RFI SQL Injection Blind SQL Injection XML Injection blog Web server TLS WordPress web security SMB Cyber attacks AI Wordpress Data Security DOMECTF2020 Container security CMS Security Code Execution Content security policy Htaccess Bypass DOMECTF2021 Press Webinar DevSecOps Web Security

Latest Articles

Explore More
How DevSecOps is a Key Enabler for Digital Transformation
DevSecOps
How DevSecOps is a Key Enabler for Digital Transformation
10 Jul 2022
Beagle Security named a Leader in G2 Summer 2022 Reports
Press
Beagle Security named a Leader in G2 Summer 2022 Reports
28 Jun 2022
8 Login Tips to Stay Safe Online
Data Security
8 Login Tips to Stay Safe Online
16 Jun 2022
Spring4Shell Vulnerability: Analysis and Mitigation
Code Execution
Spring4Shell Vulnerability: Analysis and Mitigation
08 Jun 2022
Zoom Patches “Zero-Click” RCE Bug
Zoom Patches “Zero-Click” RCE Bug
31 May 2022
A Comprehensive Guide to Web Application Security
web security
A Comprehensive Guide to Web Application Security
26 May 2022
Two-factor authentication: How Beagle Security handles 2FA security testing
AI
Two-factor authentication: How Beagle Security handles 2FA security testing
08 May 2022
State of Application Security in the IT Sector
Webinar
State of Application Security in the IT Sector
19 Apr 2022
What is Shift Left Security? Benefits and Best Practices
What is Shift Left Security? Benefits and Best Practices
01 Apr 2022
Why is penetration testing important for businesses?
Why is penetration testing important for businesses?
09 Mar 2022
Beagle Security listed among G2’s Best Security Products 2022
Press
Beagle Security listed among G2’s Best Security Products 2022
10 Feb 2022
What is ModSecurity? Installation Guide for Apache on Ubuntu
web security
What is ModSecurity? Installation Guide for Apache on Ubuntu
08 Feb 2022
PwnKit (CVE-2021-4034): Linux system service bug
PwnKit (CVE-2021-4034): Linux system service bug
25 Jan 2022
Web Cache Deception
Web Cache Deception
16 Jan 2022
Beagle Security named a Leader in G2's Winter 2022 Report
Press
Beagle Security named a Leader in G2's Winter 2022 Report
08 Jan 2022
Web Cache Poisoning
Web Cache Poisoning
01 Jan 2022
OWASP Top 10 2021
owasp
OWASP Top 10 2021
29 Dec 2021
5 Biggest Data Breaches of 2021
5 Biggest Data Breaches of 2021
18 Dec 2021
Log4j Vulnerability
Log4j Vulnerability
13 Dec 2021
Cookie Theft: Phishing Campaign Targets YouTube Creators
Cookies
Cookie Theft: Phishing Campaign Targets YouTube Creators
22 Nov 2021
DomeCTF 2021
DOMECTF2021
DomeCTF 2021
22 Nov 2021
Explore More