how to set Http header X-XSS-Protection_问答_开发者

开发者 https://www.devze.com 2023-02-03 00:11 出处：网络

I have tried to put this: <meta http-equiv=\"X-XSS-Protectio开发者_如何转开发n\" content=\"0\">

I have tried to put this:

   <meta http-equiv="X-XSS-Protectio开发者_如何转开发n" content="0">

in the <head> tag but have had no luck. I am trying to get rid of pesky IE preventing cross-site scirpting

I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.

In PHP, you'd do it like

header("X-XSS-Protection: 0");

In ASP.net:

Response.AppendHeader("X-XSS-Protection","0")

In Apache's config:

Header set  X-XSS-Protection  0

In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.

If you are using .Net MVC you can configure it through customHeaders in Web.Config.

To add these headers, go to the httpprotocol node and add those headers inside the customHeaders node.

<httpprotocol> 
    <customheaders> 
        <remove name="X-Powered-By"> 
           <add name="X-XSS-Protection" value="1; mode=block"></add>
        </remove>
    </customheaders> 
</httpprotocol>

I highly recommend this link that explain how can you can configuring Secure IIS Response Headers in ASP.NET MVC: http://insiderattack.blogspot.com/2014/04/configuring-secure-iis-response-headers.html

In Apache, you need to edit the config file, this file could be:

/etc/apache2/apache2.conf

/etc/apache2/httpd.conf

In the file you can add these lines at the end to enable HTTP Header XSS Protection:

<IfModule mod_headers.c>
    Header set X-XSS-Protection: "1; mode=block"
</IfModule>

Note: if mod_headers is external to the main Apache core (not compiled into Apache) then you would use .so rather than .c - ie. <IfModule mod_headers.so>

After that, save changes, and restart apache with:

sudo service apache2 restart

sudo service httpd restart

Hope this helps! :)

In ASP Classic, this tag will do it:

<% Response.AddHeader "X-XSS-Protection", "1" %>

In some cases, if you use .htaccess, you will need to use double quotes:

Header set x-xss-protection "1; mode=block"

# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

This header is exclusive to Internet Explorer 8 and 9, it turns on cross site scripting protection in IE 8 and IE 9 which is turned off by default as it could potentially break some websites. To turn on the XSS filter, use the header X-XSS-Protection "1; mode=block". If you wish to prevent this filter from being turned on for your website set the headers value to "0";

http://stopmalvertising.com/security/securing-your-website-with-.htaccess/.htaccess-http-headers.html