X-XSS-Protection header
# help-with-umbracoa
Ambert
07/25/2024, 8:44 AMWhat's your experience with setting this header?
Umbraco/MSDN seems to recommend to removing this header.
If I understand correctly, older browsers (which do not support CSP), could use the absence of the X-XSS-Protection header to create an attack.
is it better to keep the header, but for example set it to
SanitizeBlocks
Sebastiaan
07/25/2024, 9:03 AMIt should be removed https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
a
Ambert
07/25/2024, 9:37 AMBut then older browsers can be used to do such an attack right ?
Ambert
07/25/2024, 9:38 AMAs they do not support CSP yet
Ambert
07/25/2024, 9:48 AMhttps://security.stackexchange.com/questions/253924/is-it-better-to-disable-x-xss-protection-header-or-set-the-header-as-x-xss-prote
Copy code
It is preferred to explicitly set the X-XSS-Protection header to 0 because of the simple fact that having it explicitly disabled prevents XSS Auditor being enabled (which is enabled by default in older browsers unless specifically disabled). This header has a history of doing harm which is why all the browsers are removing it. There are cases where implementing XSS Auditor can implement cross-site information leaks and there are ways to bypass the Auditor.
The way I see it you have more to gain actively disabling it than not including it, and relying instead on a robust Content Security Policy (CSP) header. Even where older browsers don't support CSP I would still disable X-XSS-Protection just to be sure XSS Auditor is disabled as in some old browsers it is enabled by default as mentioned and may actually degrade the security of an old browser visiting the site.Ambert
07/25/2024, 9:57 AMso it seems setting it to 0 explicitly is even better the removing the header
s
Sebastiaan
07/25/2024, 11:54 AMIt depends on who the site is for, but looking at belastingdienst.nl and rabobank.nl who don't have the header at all, I'd say that they would have extremely strict auditing, so if they don't need it, you probably don't need it.
j
Jason
07/25/2024, 12:14 PMOWASP say either 0 or not set.
If someone's using that old a browser then that kind of XSS is the least of their problems.
Jason
07/25/2024, 12:17 PMIts worth bearing in mind that the header simply enables a detection feature for reflected XSS.
If your site isn't reflecting, which it really shouldn't be, then whether the browser is capable of detecting it doesn't really matter.
https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-8.0
a
Ambert
07/25/2024, 12:33 PMThanks, clarified it a bit, especially the why part 🙂
23 Views