Detections
Analytics
Disabled 'X-XSS-Protection' Header
info Web App Scanning Plugin ID 112527
Language:
Synopsis
Disabled 'X-XSS-Protection' HeaderDescription
The HTTP 'X-XSS-Protection' response header is a feature of modern browsers that allows websites to control their XSS auditors.The server did not return a correct 'X-XSS-Protection' header, which means that this website could be at risk of a Cross-Site Scripting (XSS) attack.
If legacy browsers support is not needed, it is recommended to use Content-Security-Policy without allowing unsafe-inline scripts instead.
Solution
Configure your web server to include an 'X-XSS-Protection' header with a value of '1; mode=block'.See Also
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
Plugin Details
Severity: Info
ID: 112527
Type: remote
Family: HTTP Security Header
Published: 11/27/2018
Updated: 3/25/2024
Scan Template: basic, config_audit, full, overview, pci, quick, scan