X-XSS-Protection not implemented

Description

During the scan, Kayran managed to find that a X-XSS-Protection header is not implemented. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they potential detect reflected cross-site scripting (XSS) attacks.

The major impact of this violation is that it may lead to Cross Site Scripting (XSS) attacks,
since X-XSS-Protection response header is not implemented.

Recommendation

Add the X-XSS-Protection header with a value of :
“1; mode= block”.
X-XSS-Protection: 1; mode=block

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

< Return to all Vulnerabilities

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »