HCL Commerce Version 9.1.2.0 or later

Deprecated: Enabling the X-XSS-Protection header

The X-XSS-Protection header is deprecated because most modern browsers (including Chrome, Edge, and Firefox) have removed built-in XSS filtering support. That makes this header ineffective and, in some cases, capable of introducing additional security vulnerabilities.

Before you begin

You can configure the X-XSS-Protection header settings to help you protect your site against cross-site scripting attacks. It can stop some browsers from loading pages when they detect reflected cross-site scripting attacks.

The Content-Security-Policy (CSP) header is now the recommended replacement for XSS protection. CSP is configured in the web server. It provides a more robust and flexible mechanism to prevent cross-site scripting by specifying authorized sources of content that browsers are allowed to load.

HCL Commerce Version 9.1.20.0 or laterX-XSS-Protection is disabled by default and the CSP header enabled by default in the web server configuration..

About this task

You can help to protect your site from cross-site scripting attacks using the X-XSS-Protection header. For more information about using the header, see Enabling security with HTTP headers.

For technical information about the header, please see the Mozilla.org documentation page.

The following are possible values for your X-XSS-Protection header:
0
Disables XSS filtering.
1
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1; mode=block
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. This is the default setting used in Commerce.
1; report=<reporting-URI> (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.

Procedure

  • The Transaction Server’s HttpSecurityFilter class adds X-XSS-Protection header to the response based on the configuration specified in the foundation wc-component.xml. It is enabled for the following REST-Transaction WAR by default as follows: 
    <_config:configgrouping name="HttpSecuritySettings_Rest-Transaction">
 <!-- Set the value of X-XSS-Protection header. Empty value will disable this header. The default value stops some browsers from loading pages when they detect reflected cross-site scripting attacks -->
   <_config:property name="X-XSS-ProtectionHeader" value="1; mode=block"/>
</_config:configgrouping>
    HCL Commerce Version 9.1.20.0 or laterNote:

    Starting from HCL Commerce 9.1.20, use of wc-component.xml to configure the http headers is deprecated. The default X-XSS-ProtectionHeader value has been changed to “”, meaning the X-XSS-Protection header is not specified.

    Instead, the Content-Security-Policy header has been enabled by default in the httpd.conf and virtual-host-6443.conf web server configuration files. For more information, see Web server security considerations. Configuring a CSP value in the wc-component.xml file might result in duplicate CSP headers.

  • To customize the X-XSS-Protection header value, or to specify it for other WARs, add the corresponding property to your extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the HCL Commerce configuration file (wc-component.xml).