X-XSS-Protection is a header that can be set on a webpage to activate “limited” XSS protection in certain browsers. At the time of writing, the header is available in all modern browsers except Firefox.
If you aren’t up to speed on what XSS is, have a quick read of this wikipedia article first then come back.
Great, now let’s first take a look at what browsers do out of the box. All browsers use static analysis to detect XSS attacks. They are rather vague about how they offer this protection, but usually it’s protecting against the most basic attacks. A good writeup on how Chrome’s protection has evolved over time (And still getting bypassed) can be found here : https://blog.securitee.org/?p=37. Hopefully that should give you an idea of the sort of things the browser will natively protect against.
Now usually the browser has the XSS filter turned on by default, but using the header should enforce it. There are also a couple of other values to use to extend the functionality of the header.
X-XSS-Protection Settings
X-XSS-Protection: 0
Disables XSS protection (Handy when you may want to test out XSS on your own)
X-XSS-Protection: 1
Enables XSS protection. If XSS is detected, the browser attempts to filter or sanitize the output, but still renders it for the most part.
X-XSS-Protection: 1; mode=block
Enables XSS protection and if XSS is detected, the browser stops rendering altogether.
X-XSS-Protection: 1; report=<reporting-uri>
Report works only in Chromium browsers (But can be used to enforce protection in other browsers). You can have a callback that lets you know about XSS attempts.
Setting X-XSS-Protection at the Code Level
Similar to adding any other default header to your app, you can add a Use statement to the Configure method in your startup.cs like so :
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { app.Use(async (context, next) => { context.Response.Headers.Add("X-Xss-Protection", "1"); await next(); }); app.UseMvc(); }
And you’re done!
Setting X-Xss-Protection at Server level
If you are using IIS or any other web server infront of kestrel, you can also set headers there. There are different requirements for each server.
Setting X-XSS-Protection in IIS
The best way to do this if you are just using IIS to forward requests to Kestrel (Or even if this is actually being hosted in IIS), is to do this in IIS Manager.
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Doubleclick the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “X-Xss-Protection” and for the value write in your desired option e.g. “1”.
Setting X-XSS-Protection in Apache
In your httpd.conf file you need to append the following line :
Header always append X-Xss-Protection 1
Setting X-XSS-Protection in htaccess
Header append X-Xss-Protection "1"
Setting X-XSS-Protection in NGINX
In nginix.conf add the following line. Remember to restart the service after!
add_header X-Xss-Protection "1";