Tackle WordPress weaknesses and fortify your website.

[DEPRECATED] The X-XSS-Protection security header was created to control the built-in protection against Reflected Cross-Site Scripting (XSS) attacks in web browsers. In the past XSS protection was built into Internet Explorer, Chrome, Edge, and Safari. Firefox never implemented XSS protection. When a browser with built-in and activated XSS protections detected an XSS attack, the browser would remove the unsafe scripts from the page.

Options

The X-XSS-Protection header has the following options: 0 -> Disable XSS filtering 1 -> Enable XSS filter mode (remove unsafe scripts) 1; mode=block -> Enable XSS block mode (block loading of pages with unsafe scripts) 1; report=<reporting-URI> -> Enable XSS filter mode and report violations to the provided URL

Problems

The problem with XSS protection is that is introduces new possibilities for cross-site information leak attacks. Because of this in 2016 the XSS auditor in Chrome switched from filter mode to block mode that completely blocked loading of a page when XSS was detected. Not long after this change, security researchers found different ways to abuse the XSS auditors block mode to steal information like tokens from web sessions and there were also numerous issues with falsely blocked legitimate scripts. Because of these issues, Chrome switched back to filter mode in 2019 thereby reintroducing the cross site information leak vulnerabilities. Within three months Chrome removed their XSS auditor altogether after Edge had already done the same for their XSS filter in 2018. Currently (May 2022) only Internet Explorer and Safari still have built-in XSS protection. The consensus among security researchers is that XSS protection in browsers is best disabled and that the Content Security Policy header (CSP) is used to mitigate XSS vulnerabilities.

References

https://owasp.org/www-project-secure-headers/#x-xss-protection https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection https://scotthelme.co.uk/deprecating-xss-reports https://www.virtuesecurity.com/understanding-xss-auditor NOTE: When enabled, Really Simple SSL Pro will set this header to “0” (disable XSS filtering) from version 5.4 onwards (May 2022).

Table of Contents

Peter Tak

Peter Tak

Lorem ipsum dolor sit amet consectetur adipiscing elit dolor

Read More

Advanced Security

With the mixed content fixer and scan in Really Simple SSL pro we’ll get you the secure lock!

Definitions

Extensive scan which enables you to detect the source of mixed content that couldn’t be fixed automatically, with fix button.

HttpOnly and Secure flags to make cookies secure and encrypted.

Related articles

Cross Origin Security Headers

Cross-Origin Isolation In 2018, a new vulnerability was discovered in processors. It allowed a “side channel attack”. These types of attacks try to gather information

Read More