Transaction

jm –Zå¾â.ݸÑËbIw”¥h2&*pßý.‰!üMSolutions : The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP. Header type Response header Forbidden header name no SyntaxSection X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=<reporting-uri> 0 Disables XSS filtering. 1 Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). 1; mode=block Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. 1; report=<reporting-URI> (Chromium only) Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report. ExampleSection Block pages from loading when they detect reflected XSS attacks: X-XSS-Protection: 1; mode=block PHP header("X-XSS-Protection: 1; mode=block"); Apache (.htaccess) <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule> Nginx add_header "X-XSS-Protection" "1; mode=block";