Now Chatting

Hello, can I help you with anything?

Title:

The X-XSS-Protection header is not defined in header.

Vulnerability:

What is X-XSS-Protection header?
This header is used to configure the built in reflective XSS protection found in browsers (i.e. Internet Explorer, Chrome and Mozilla, etc) meaning that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. The basic syntax for this header:

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>

In cases when parameter value entered in a Web application through an un-trusted source, most frequently a web request, leads to cross site scripting attacking either stealing of data or modifying some data.

Solution:

Configure this header for the web application ensuring correct values are set.
X-XSS-Protection: 1; mode=block
PHP
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Nginx
add_header "X-XSS-Protection" "1; mode=block";