# ---------------------------------------------------------------------- # | Cross-Site Scripting (XSS) Protection | # ---------------------------------------------------------------------- # Protect website reflected Cross-Site Scripting (XSS) attacks. # # (1) Try to re-enable the cross-site scripting (XSS) filter built into most # web browsers. # # The filter is usually enabled by default, but in some cases, it may be # disabled by the user. However, in Internet Explorer, for example, it can # be re-enabled just by sending the `X-XSS-Protection` header with the # value of `1`. # # (2) Prevent web browsers from rendering the web page if a potential reflected # (a.k.a non-persistent) XSS attack is detected by the filter. # # By default, if the filter is enabled and browsers detect a reflected XSS # attack, they will attempt to block the attack by making the smallest # possible modifications to the returned web page. # # Unfortunately, in some browsers (e.g.: Internet Explorer), this default # behavior may allow the XSS filter to be exploited. Therefore, it's better # to inform browsers to prevent the rendering of the page altogether, # instead of attempting to modify it. # # https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities # # (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are # taking all possible measures to prevent XSS attacks, the most obvious # being: validating and sanitizing your website's inputs. # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/ # https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/ # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 add_header X-XSS-Protection $x_xss_protection always;