| VID |
210180 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
* References:
https://www.owasp.org/index.php/Security_Headers
* Platforms Affected:
Any operating system Any version |
| Recommendation |
* Define the following in Apache's httpd.conf file:
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' ; img-src 'self'; style-src 'self' 'unsafe-inline';connect-src http:; child-src 'unsafe-inline'"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1;mode=block"
Header set Cache-Control "no-store"
Header set Pragma "no-cache"
Header set X-Frame-Options SAMEORIGIN
</IfModule>
*WAS sends a header to the response using a filter.
response.setHeader("X-XSS-Protection","1;mode=block"); |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
