发表新帖
发表新帖

how to set Http header X-XSS-Protection

后端 未结
关注
6 1018
暖寄归人
暖寄归人 2020-12-13 19:16

I have tried to put this:

in the tag but have had n

相关标签:
6条回答
  • 离开以前
    2020-12-13 19:26

    If you are using .Net MVC you can configure it through customHeaders in Web.Config.

    To add these headers, go to the httpprotocol node and add those headers inside the customHeaders node.

    <httpprotocol> 
    <customheaders> 
        <remove name="X-Powered-By"> 
           <add name="X-XSS-Protection" value="1; mode=block"></add>
        </remove>
    </customheaders> 
</httpprotocol>

    I highly recommend this link that explain how can you can configuring Secure IIS Response Headers in ASP.NET MVC: http://insiderattack.blogspot.com/2014/04/configuring-secure-iis-response-headers.html

    0 讨论(0)
  • 星月不相逢
    2020-12-13 19:26

    In ASP Classic, this tag will do it:

    <% Response.AddHeader "X-XSS-Protection", "1" %>
    0 讨论(0)
  • 余生分开走
    2020-12-13 19:32

    In some cases, if you use .htaccess, you will need to use double quotes:

    Header set x-xss-protection "1; mode=block"
    0 讨论(0)
  • 情话喂你
    2020-12-13 19:34

    I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.

    In PHP, you'd do it like

    header("X-XSS-Protection: 0");

    In ASP.net:

    Response.AppendHeader("X-XSS-Protection","0")

    In Apache's config:

    Header set  X-XSS-Protection  0

    In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.

    0 讨论(0)
  • 终归单人心
    2020-12-13 19:43 
    # Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

    This header is exclusive to Internet Explorer 8 and 9, it turns on cross site scripting protection in IE 8 and IE 9 which is turned off by default as it could potentially break some websites. To turn on the XSS filter, use the header X-XSS-Protection "1; mode=block". If you wish to prevent this filter from being turned on for your website set the headers value to "0";

    http://stopmalvertising.com/security/securing-your-website-with-.htaccess/.htaccess-http-headers.html

    0 讨论(0)
  • 醉梦人生
    2020-12-13 19:45

    In Apache, you need to edit the config file, this file could be:

    /etc/apache2/apache2.conf

    /etc/apache2/httpd.conf

    In the file you can add these lines at the end to enable HTTP Header XSS Protection:

    <IfModule mod_headers.c>
    Header set X-XSS-Protection: "1; mode=block"
</IfModule>

    Note: if mod_headers is external to the main Apache core (not compiled into Apache) then you would use .so rather than .c - ie. <IfModule mod_headers.so>

    After that, save changes, and restart apache with:

    sudo service apache2 restart

    or

    sudo service httpd restart

    Hope this helps! :)

    0 讨论(0)
 看不清?
提交回复
热议问题