# ---------------------------------------------------------------------- # | Cross-Site Scripting (XSS) Protection | # ---------------------------------------------------------------------- # Protect website reflected Cross-Site Scripting (XSS) attacks. # # (1) Try to re-enable the cross-site scripting (XSS) filter built # into most web browsers. # # The filter is usually enabled by default, but in some cases it # may be disabled by the user. However, in Internet Explorer for # example, it can be re-enabled just by sending the # `X-XSS-Protection` header with the value of `1`. # # (2) Prevent web browsers from rendering the web page if a potential # reflected (a.k.a non-persistent) XSS attack is detected by the # filter. # # By default, if the filter is enabled and browsers detect a # reflected XSS attack, they will attempt to block the attack # by making the smallest possible modifications to the returned # web page. # # Unfortunately, in some browsers (e.g.: Internet Explorer), # this default behavior may allow the XSS filter to be exploited, # thereby, it's better to inform browsers to prevent the rendering # of the page altogether, instead of attempting to modify it. # # https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities # # (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that # you are taking all possible measures to prevent XSS attacks, the # most obvious being: validating and sanitizing your website's inputs. # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/ # https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/ # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 add_header X-XSS-Protection $x_xss_protection always;