X-XSS-Protection Not Set


Description

The application does not use an X-XSS-Protection header. This header was introduced by Microsoft in IE 8 to block cross site scripting attacks (XSS).  With the X-XSS-Protection header, if a reflected XSS attacked is identified, the browser will log the attack and prevent rendering of the page. Currently, only Microsoft’s Internet Explorer, Google Chrome and Safari support this header.

Custom Description

Impact

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply