Missing 'X-XSS-Protection' Header

info Web App Scanning Plugin ID 112526

Synopsis

Missing 'X-XSS-Protection' Header

Description

The HTTP 'X-XSS-Protection' response header is a feature of old browsers that allows websites to control their XSS auditors.\n\nThe server is not configured to return a 'X-XSS-Protection' header which means that any pages on this website could be at risk of a Cross-Site Scripting (XSS) attack. This URL is flagged as a specific example.\n\nHowever, this header is deprecated by modern browsers, if legacy browsers support is not needed, it is recommended to use Content-Security-Policy without allowing unsafe-inline scripts instead.

Solution

Configure your web server to include an 'X-XSS-Protection' header with a value of '1; mode=block' on all pages.

See Also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp

Plugin Details

Severity: Info

ID: 112526

Type: remote

Published: 11/27/2018

Updated: 3/25/2024

Scan Template: basic, config_audit, full, overview, pci, quick, scan