X-XSS-Protection header is set to 0
Description
The X-XSS-Protection header is set to 0, which will disable the browser's XSS Filter. This can make the application more vulnerable to cross-site scripting attacks.
Examples
Insecure Code
javascript
const lusca = require('lusca');
lusca.xssProtection(false);Secure Code
javascript
const helmet = require('helmet');
app.use(helmet());Remediation
Enable the X-XSS-Protection header by setting it to 1 or remove the configuration that sets it to 0. Consider using a security middleware like helmet() to properly configure security headers.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0399 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-358 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | xss, security-headers |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |