Reputation: 16255
how to set Http header X-XSS-Protection
I have tried to put this:
<meta http-equiv="X-XSS-Protection" content="0">
in the <head> tag but have had no luck. I am trying to get rid of pesky IE preventing cross-site scirpting
Upvotes: 32
Views: 126945
Answers (7)
Reputation: 15935
You should simply send HTTP header (instead of HTML meta element) with value X-XSS-Protection: 0 and then forget about this header. Any other option, including not emitting this HTTP header may leave your web site or web app vulnerable to XSS attacks or data leaks.
See my answer to another related question for more details: https://stackoverflow.com/a/57802070/334451
Upvotes: 0
Reputation: 29
In some cases, if you use .htaccess, you will need to use double quotes:
Header set x-xss-protection "1; mode=block"
Upvotes: 2
Reputation: 8142
If you are using .Net MVC you can configure it through customHeaders in Web.Config.
To add these headers, go to the httpprotocol node and add those headers inside the customHeaders node.
<httpprotocol>
<customheaders>
<remove name="X-Powered-By">
<add name="X-XSS-Protection" value="1; mode=block"></add>
</remove>
</customheaders>
</httpprotocol>
I highly recommend this link that explain how can you can configuring Secure IIS Response Headers in ASP.NET MVC: http://insiderattack.blogspot.com/2014/04/configuring-secure-iis-response-headers.html
Upvotes: 24
Reputation: 2046
In ASP Classic, this tag will do it:
<% Response.AddHeader "X-XSS-Protection", "1" %>
Upvotes: 3
Reputation: 724
In Apache, you need to edit the config file, this file could be:
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
In the file you can add these lines at the end to enable HTTP Header XSS Protection:
<IfModule mod_headers.c>
Header set X-XSS-Protection: "1; mode=block"
</IfModule>
Note: if mod_headers is external to the main Apache core (not compiled into Apache) then you would use .so rather than .c - ie. <IfModule mod_headers.so>
After that, save changes, and restart apache with:
sudo service apache2 restart
or
sudo service httpd restart
Hope this helps! :)
Upvotes: 5
Reputation: 5389
# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"
This header is exclusive to Internet Explorer 8 and 9, it turns on cross site scripting protection in IE 8 and IE 9 which is turned off by default as it could potentially break some websites. To turn on the XSS filter, use the header X-XSS-Protection "1; mode=block". If you wish to prevent this filter from being turned on for your website set the headers value to "0";
Upvotes: 0
Reputation: 86504
I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.
In PHP, you'd do it like
header("X-XSS-Protection: 0");
In ASP.net:
Response.AppendHeader("X-XSS-Protection","0")
In Apache's config:
Header set X-XSS-Protection 0
In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.
Upvotes: 46
Related Questions
- Configure X-XSS Protection Header
- What is the http-header "X-XSS-Protection"?
- How to exploit HTTP header XSS vulnerability?
- modify request headers in Internet Explorer
- How to add header X-XSS-Protection 1; mode=block via appcmd
- Is there any way to modify the HTTP headers for IE6?
- Cannot properly set the Accept HTTP header with jQuery
- How to set HTTP headers in .htaccess only for IE 9
- customizing default values for HTTP request headers in Internet Explorer
- how to set custom http header in jBoss