CODEWITHSUNDEEP
securityheaderxss
Vamsi Krishna
Vamsi Krishna

Reputation: 559

Why this error in dev console of chrome when using x-xss-protection?

How to fix this error in console?

Error parsing header X-XSS-Protection: 1; mode=block, 1;
mode=block:expected semicolon at character position 14.
The default protections will be applied.

Upvotes: 43

Views: 57293

Answers (6)

Franklin Yu
Franklin Yu

Reputation: 9958

I had this error when I’m proxying a Docker service through NGINX. Both the Docker service and NGINX adds the header, so I need to dedupe. I finally came out with this:

map $upstream_http_x_xss_protection $xss_p {
    '' '1; mode=block';
}
add_header X-XSS-Protection $xss_p always;

I call this “poor man’s set_header”. Thanks to great hint from David and kolbyjack.

Upvotes: 4

rtaft
rtaft

Reputation: 2368

If you are dealing with a load balancer, don't put the extra headers on the load balancer. The headers will get populated and passed up from the servers through the load balancer. Putting it on both causes duplicate headers and causes this error.

Upvotes: 1

Gianni C
Gianni C

Reputation: 53

If you are using Akamai use "modify" instead of "add" behavior in your configuration. Make sure you have selected the "avoid duplicate headers" option, which is only available in "modify" modus.

Upvotes: 2

David
David

Reputation: 6084

If the error is shown even you send the right header, check if you send the header perhaps twice. This is shown in the error-console below network and you click on any file.

Sending the header twice can happen if for the server 

add_header X-XSS-Protection "1; mode=block";

is noted in two different include-files or one include-file is included twice. Browsers or at least chrome is concatenating the two headers then internally and the applied WRONG rule is then, like shown in the question:

X-XSS-Protection: "1; mode=block, 1; mode=block"

Upvotes: 47

Christopher Markieta
Christopher Markieta

Reputation: 5913

I had the same error in Chrome. I was adding the header to multiple sites.

Instead, you should add it to the http block if you are using NGINX:

http {
    add_header X-XSS-Protection "1; mode=block";

    ...
}

Upvotes: 5

SBurris
SBurris

Reputation: 7448

You are not following the proper syntax of X-XSS-Protection, so you are getting a parsing error.

I think you are looking for this:

X-XSS-Protection: 1; mode=block

So remove the , 1 at the end of yours

Upvotes: 1

Related Questions