Insecure HTTP Header Setting: X-XSS-Protection Header

Insecure HTTP Header Setting: X-XSS-Protection Header

Risk: hardening

Description

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Recommendation

Add the X-XSS-Protection header with a value of "1; mode= block".

X-XSS-Protection: 1; mode=block

Links

• X-XSS-Protection

Standards

• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_6_4
  • REQ_11_3