Detections
Analytics
Missing 'X-XSS-Protection' Header
info Web App Scanning Plugin ID 112526
Language:
Synopsis
Missing 'X-XSS-Protection' HeaderDescription
The HTTP 'X-XSS-Protection' response header is a feature of modern browsers that allows websites to control their XSS auditors.The server is not configured to return a 'X-XSS-Protection' header which means that any pages on this website could be at risk of a Cross-Site Scripting (XSS) attack. This URL is flagged as a specific example.
If legacy browsers support is not needed, it is recommended to use Content-Security-Policy without allowing unsafe-inline scripts instead.
Solution
Configure your web server to include an 'X-XSS-Protection' header with a value of '1; mode=block' on all pages.See Also
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
Plugin Details
Severity: Info
ID: 112526
Type: remote
Family: HTTP Security Header
Published: 11/27/2018
Updated: 3/25/2024
Scan Template: basic, config_audit, full, overview, pci, quick, scan