server-configs-nginx/h5bp/security/x-xss-protection.conf

# ----------------------------------------------------------------------
# | Reflected Cross-Site Scripting (XSS) attacks                       |
# ----------------------------------------------------------------------

# (1) Try to re-enable the cross-site scripting (XSS) filter built
#     into most web browsers.
#
#     The filter is usually enabled by default, but in some cases it
#     may be disabled by the user. However, in Internet Explorer for
#     example, it can be re-enabled just by sending the
#     `X-XSS-Protection` header with the value of `1`.
#
# (2) Prevent web browsers from rendering the web page if a potential
#     reflected (a.k.a non-persistent) XSS attack is detected by the
#     filter.
#
#     By default, if the filter is enabled and browsers detect a
#     reflected XSS attack, they will attempt to block the attack
#     by making the smallest possible modifications to the returned
#     web page.
#
#     Unfortunately, in some browsers (e.g.: Internet Explorer),
#     this default behavior may allow the XSS filter to be exploited,
#     thereby, it's better to inform browsers to prevent the rendering
#     of the page altogether, instead of attempting to modify it.
#
#     https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
#
# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
#     you are taking all possible measures to prevent XSS attacks, the
#     most obvious being: validating and sanitizing your website's inputs.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

add_header X-XSS-Protection $x_xss_protection always;
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# ----------------------------------------------------------------------`
			`# \| Reflected Cross-Site Scripting (XSS) attacks \|`
			`# ----------------------------------------------------------------------`

			`# (1) Try to re-enable the cross-site scripting (XSS) filter built`
			`# into most web browsers.`
			`#`
			`# The filter is usually enabled by default, but in some cases it`
			`# may be disabled by the user. However, in Internet Explorer for`
			`# example, it can be re-enabled just by sending the`
			# `X-XSS-Protection` header with the value of `1`.
			`#`
			`# (2) Prevent web browsers from rendering the web page if a potential`
			`# reflected (a.k.a non-persistent) XSS attack is detected by the`
			`# filter.`
			`#`
			`# By default, if the filter is enabled and browsers detect a`
			`# reflected XSS attack, they will attempt to block the attack`
			`# by making the smallest possible modifications to the returned`
			`# web page.`
			`#`
			`# Unfortunately, in some browsers (e.g.: Internet Explorer),`
			`# this default behavior may allow the XSS filter to be exploited,`
			`# thereby, it's better to inform browsers to prevent the rendering`
			`# of the page altogether, instead of attempting to modify it.`
			`#`
			`# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities`
			`#`
			`# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that`
			`# you are taking all possible measures to prevent XSS attacks, the`
			`# most obvious being: validating and sanitizing your website's inputs.`
			`#`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection`
			`# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/`
			`# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/`
			`# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29`

Switch from location directives to maps based on MIME-types * Expire * X-XSS-Protection * X-Frame-Options * X-UA-Compatible * Content-Security-Policy * Access-Control-Allow-Origin 2019-02-10 20:46:58 +01:00			`add_header X-XSS-Protection $x_xss_protection always;`