X-XSS-Protection Header Set to 0
Description
The X-XSS-Protection header is set to 0, which disables the browser's XSS Filter. This could make the application more vulnerable to cross-site scripting attacks.
Examples
Insecure Code
javascript
res.header('X-XSS-Protection', 0);Secure Code
javascript
res.header('X-XSS-Protection', '1; mode=block');Remediation
Set the X-XSS-Protection header to '1; mode=block' to enable the browser's XSS Filter.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0398 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-358 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Security Misconfiguration |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |