Enabling the X-XSS-Protection header
You can configure the X-XSS-Protection
header settings to help you
protect your site against cross-site scripting attacks. The default value stops some
browsers from loading pages when they detect reflected cross-site scripting
attacks.
About this task
You can help to protect your site from cross-site scripting attacks using the
X-XSS-Protection
header.
For more information about this header, please see the Mozilla.org documentation page.
The following are possible values for your
X-XSS-Protection
header:- 0
- Disables XSS filtering.
- 1
- Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
- 1; mode=block
- Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. This is the default setting used in Commerce.
- 1; report=<reporting-URI> (Chromium only)
- Enables XSS filtering. If a cross-site scripting attack is detected, the
browser will sanitize the page and report the violation. This uses the
functionality of the CSP
report-uri
directive to send a report.
Procedure
-
The Transaction Server’s
HttpSecurityFilter
class addsX-XSS-Protection
header to the response based on the configuration specified in the foundation wc-component.xml. It is enabled by default for the following REST-Transaction WAR by default as follows:<_config:configgrouping name="HttpSecuritySettings_Rest-Transaction"> <!-- Set the value of X-XSS-Protection header. Empty value will disable this header. The default value stops some browsers from loading pages when they detect reflected cross-site scripting attacks --> <_config:property name="X-XSS-ProtectionHeader" value="1; mode=block"/> </_config:configgrouping>
-
To customize the
X-XSS-Protection
header value, or to specify it for other WARs, add the corresponding property to your extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the HCL Commerce configuration file (wc-component.xml).