2018-11-23 17:14:15 +01:00
|
|
|
# ----------------------------------------------------------------------
|
2019-05-15 18:26:04 +02:00
|
|
|
# | Cross-Site Scripting (XSS) Protection |
|
2018-11-23 17:14:15 +01:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
2019-05-15 18:26:04 +02:00
|
|
|
# Protect website reflected Cross-Site Scripting (XSS) attacks.
|
|
|
|
#
|
2018-11-23 17:14:15 +01:00
|
|
|
# (1) Try to re-enable the cross-site scripting (XSS) filter built
|
|
|
|
# into most web browsers.
|
|
|
|
#
|
|
|
|
# The filter is usually enabled by default, but in some cases it
|
|
|
|
# may be disabled by the user. However, in Internet Explorer for
|
|
|
|
# example, it can be re-enabled just by sending the
|
|
|
|
# `X-XSS-Protection` header with the value of `1`.
|
|
|
|
#
|
|
|
|
# (2) Prevent web browsers from rendering the web page if a potential
|
|
|
|
# reflected (a.k.a non-persistent) XSS attack is detected by the
|
|
|
|
# filter.
|
|
|
|
#
|
|
|
|
# By default, if the filter is enabled and browsers detect a
|
|
|
|
# reflected XSS attack, they will attempt to block the attack
|
|
|
|
# by making the smallest possible modifications to the returned
|
|
|
|
# web page.
|
|
|
|
#
|
|
|
|
# Unfortunately, in some browsers (e.g.: Internet Explorer),
|
|
|
|
# this default behavior may allow the XSS filter to be exploited,
|
|
|
|
# thereby, it's better to inform browsers to prevent the rendering
|
|
|
|
# of the page altogether, instead of attempting to modify it.
|
|
|
|
#
|
|
|
|
# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
|
|
|
|
#
|
|
|
|
# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
|
|
|
|
# you are taking all possible measures to prevent XSS attacks, the
|
|
|
|
# most obvious being: validating and sanitizing your website's inputs.
|
|
|
|
#
|
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
|
|
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
|
|
|
|
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
|
|
|
|
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
|
|
|
|
|
2019-02-10 20:46:58 +01:00
|
|
|
add_header X-XSS-Protection $x_xss_protection always;
|