Tune The Web

X-XSS-Protection HTTP Header

Introduction

Cross Site Scripting (also known as XSS) is a security vulnerability where a hacker manages to run code, which the browser treats as being from the website. This means the web browser gives it access to all the same information and resources that the website has (e.g. access to cookies). It is listed as number 3 in the OWASP 2013 Top 10 security issues. This header ensures that certain XSS protections built into web browsers are switched on.

What exactly those protections are, are not easy to find without digging through the code (probably for good reason!). However it does seem to work when tested so does appear to add some value. The same test in Firefox (which does not support this header), or with this header explicitly switched off, causes the XSS to succeed.

How to set it up

Add the X-XSS-Protection header to your web server and set the value to "1; mode=block". In Apache, that would be set with the following config:

#Force XSS (should be on by default in most browsers anyway) Header always set X-XSS-Protection "1; mode=block"

As this is really only needed on HTML code returned by the server you could put this in a FilesMatch block (assuming you know all the file extensions on your server that return an HTML document):

<FilesMatch "\.(htm|html|php)$"> #Force XSS (should be on by default in most browsers anyway) Header always set X-XSS-Protection "1; mode=block" </FilesMatch>

Note there are certain scenarios when you actually might want to disable the X-XSS-Protection header (by setting the value to 0). Facebook does for a very good reason, however these are relatively rare and for most people above setting is to be recommended.

Support

This header is supported by IE and webkit browsers like Chrome and Safari. It is not supported in Firefox.

The downsides

This is non-standard header (hence why it begins with X) and, while support is there in Internet Explorer and Chrome (which will probably cover a lot of your users), there is no guarantee this will continue.

A lot of it's protection is likely to be replaced by CSP which has much better cross browser support (though with a few bugs at the time of writing!), and it allows you to refine exactly what content you want to allow on your page, rather than a blanket on or off setting.

It will also add 30 bytes to each request, which some might see as a waste - though personally I think such a small amount is nothing to worry about and would rather have the protection it might offer and, as discussed above, this can be limited to document types.

Amd finally, as mentioned above, there are certain scenarios when you actually might want to disable the X-XSS-Protection header, but these are very rare and if in one of these scenarios you'll likely have security experts to much more knowledgeable than me! For most of the rest of us the advise is to turn this on.

Summary

This HTTP can add security to some browsers, and there is no real downside to setting it on your server for most people, so we recommend setting it.

This page was originally created on and last edited on .

How useful was this page?

Load more comments!