Re: [users@httpd] query regarding httpd server [EXT]

Mon, 19 Jul 2021 02:38:22 -0700 

You probably want to read some good information on XSS such as:
https://owasp.org/www-community/attacks/xss/

Jim

On 7/19/2021 5:27 AM, Jim Albert wrote:
X-XSS-Protection is just an HTTPD response header that instructs the browsers that respect the header to not make a request from the content of the page that appear to be an XSS attack. 

Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
XSS really needs to be addressed at the point where content is created particularly if your concern is responding to security scan results. A  Content Security Policy offers better protection, but that still won't get you passed a security scan where XSS vulnerabilities exist nor should it. Per the previous reply, "Defensive code" is the best solution. 

Jim

On 7/19/2021 2:04 AM, Thejas Hl wrote:

hi ,
    thanks for your email,
         Is it possible the server is filtering xss attacks from browser to server request(with header= X-XSS-Protection: "1;  mode=block" ), if that then kindly provide the steps for the same. 

regards
Thejas
On Fri, 16 Jul 2021 at 12:50, James Smith <j...@sanger.ac.uk <mailto:j...@sanger.ac.uk>> wrote: 

    You can add:

    Header always set X-XSS-Protection "1;  mode=block"

    which will help – but the rest you need to look at the way you
    code your pages.

    Then you can look at
    (1) defensive code
    (2) Content-Security-Policy header
    (3) Specific rules in Apache to mitigate attacks

    Remembering that XSS is often a vector for other attacks.

    *From:*Thejas Hl <thejashl...@gmail.com
    <mailto:thejashl...@gmail.com>>
    *Sent:* 16 July 2021 06:31
    *To:* users@httpd.apache.org <mailto:users@httpd.apache.org>
    *Subject:* [users@httpd] query regarding httpd server [EXT]

    Hello team,

                Is xss attack internally taken care by httpd apache
    server if yes kindly share the steps to activate for protection
    against such attack.

    Thanks and regards

    tej

    -- The Wellcome Sanger Institute is operated by Genome Research
    Limited, a charity registered in England with number 1021457 and
    a company registered in England with number 2742969, whose
    registered office is 215 Euston Road, London, NW1 2BE.

Reply via email to