You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Thejas Hl <th...@gmail.com> on 2021/07/16 05:30:39 UTC

[users@httpd] query regarding httpd server

Hello team,
            Is xss attack internally taken care by httpd apache server if
yes kindly share the steps to activate for protection against such attack.

Thanks and regards
tej

Re: [users@httpd] query regarding httpd server [EXT]

Posted by Jim Albert <ji...@netrition.com>.

You probably want to read some good information on XSS such as:
https://owasp.org/www-community/attacks/xss/

Jim

On 7/19/2021 5:27 AM, Jim Albert wrote:
> X-XSS-Protection is just an HTTPD response header that instructs the 
> browsers that respect the header to not make a request from the 
> content of the page that appear to be an XSS attack.
>
> Based on the page below, I don't think X-XSS-Protection offers much.
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
>
> XSS really needs to be addressed at the point where content is created 
> particularly if your concern is responding to security scan results. 
> A  Content Security Policy offers better protection, but that still 
> won't get you passed a security scan where XSS vulnerabilities exist 
> nor should it. Per the previous reply, "Defensive code" is the best 
> solution.
>
> Jim
>
> On 7/19/2021 2:04 AM, Thejas Hl wrote:
>> hi ,
>>     thanks for your email,
>>          Is it possible the server is filtering xss attacks 
>> from browser to server request(with header= X-XSS-Protection: "1;  
>> mode=block" ), if that then kindly provide the steps for the same.
>>
>> regards
>> Thejas
>>
>>
>> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk 
>> <ma...@sanger.ac.uk>> wrote:
>>
>>     You can add:
>>
>>     Header always set X-XSS-Protection "1;  mode=block"
>>
>>     which will help – but the rest you need to look at the way you
>>     code your pages.
>>
>>     Then you can look at
>>     (1) defensive code
>>     (2) Content-Security-Policy header
>>     (3) Specific rules in Apache to mitigate attacks
>>
>>     Remembering that XSS is often a vector for other attacks.
>>
>>     *From:*Thejas Hl <thejashl013@gmail.com
>>     <ma...@gmail.com>>
>>     *Sent:* 16 July 2021 06:31
>>     *To:* users@httpd.apache.org <ma...@httpd.apache.org>
>>     *Subject:* [users@httpd] query regarding httpd server [EXT]
>>
>>     Hello team,
>>
>>                 Is xss attack internally taken care by httpd apache
>>     server if yes kindly share the steps to activate for protection
>>     against such attack.
>>
>>     Thanks and regards
>>
>>     tej
>>
>>     -- The Wellcome Sanger Institute is operated by Genome Research
>>     Limited, a charity registered in England with number 1021457 and
>>     a company registered in England with number 2742969, whose
>>     registered office is 215 Euston Road, London, NW1 2BE.
>>
>
>

Re: [users@httpd] query regarding httpd server [EXT]

Posted by Jim Albert <ji...@netrition.com>.

X-XSS-Protection is just an HTTPD response header that instructs the 
browsers that respect the header to not make a request from the content 
of the page that appear to be an XSS attack.

Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

XSS really needs to be addressed at the point where content is created 
particularly if your concern is responding to security scan results. A  
Content Security Policy offers better protection, but that still won't 
get you passed a security scan where XSS vulnerabilities exist nor 
should it. Per the previous reply, "Defensive code" is the best solution.

Jim

On 7/19/2021 2:04 AM, Thejas Hl wrote:
> hi ,
>     thanks for your email,
>          Is it possible the server is filtering xss attacks 
> from browser to server request(with header= X-XSS-Protection: "1;  
> mode=block" ), if that then kindly  provide the steps for the same.
>
> regards
> Thejas
>
>
> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk 
> <ma...@sanger.ac.uk>> wrote:
>
>     You can add:
>
>     Header always set X-XSS-Protection "1;  mode=block"
>
>     which will help – but the rest you need to look at the way you
>     code your pages.
>
>     Then you can look at
>     (1) defensive code
>     (2) Content-Security-Policy header
>     (3) Specific rules in Apache to mitigate attacks
>
>     Remembering that XSS is often a vector for other attacks.
>
>     *From:*Thejas Hl <thejashl013@gmail.com
>     <ma...@gmail.com>>
>     *Sent:* 16 July 2021 06:31
>     *To:* users@httpd.apache.org <ma...@httpd.apache.org>
>     *Subject:* [users@httpd] query regarding httpd server [EXT]
>
>     Hello team,
>
>                 Is xss attack internally taken care by httpd apache
>     server if yes kindly share the steps to activate for protection
>     against such attack.
>
>     Thanks and regards
>
>     tej
>
>     -- The Wellcome Sanger Institute is operated by Genome Research
>     Limited, a charity registered in England with number 1021457 and a
>     company registered in England with number 2742969, whose
>     registered office is 215 Euston Road, London, NW1 2BE.
>

Re: [users@httpd] query regarding httpd server [EXT]

Posted by Thejas Hl <th...@gmail.com>.

hi ,
    thanks for your email,
         Is it possible the server is filtering xss attacks from browser to
server request(with header= X-XSS-Protection: "1;  mode=block" ), if that
then kindly  provide the steps for the same.

regards
Thejas


On Fri, 16 Jul 2021 at 12:50, James Smith <js...@sanger.ac.uk> wrote:

> You can add:
>
> Header always set X-XSS-Protection "1;  mode=block"
>
> which will help – but the rest you need to look at the way you code your
> pages.
>
> Then you can look at
> (1) defensive code
> (2) Content-Security-Policy header
> (3) Specific rules in Apache to mitigate attacks
>
> Remembering that XSS is often a vector for other attacks.
>
>
>
> *From:* Thejas Hl <th...@gmail.com>
> *Sent:* 16 July 2021 06:31
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] query regarding httpd server [EXT]
>
>
>
> Hello team,
>
>             Is xss attack internally taken care by httpd apache server if
> yes kindly share the steps to activate for protection against such attack.
>
>
>
> Thanks and regards
>
> tej
>
>
> -- The Wellcome Sanger Institute is operated by Genome Research Limited, a
> charity registered in England with number 1021457 and a company registered
> in England with number 2742969, whose registered office is 215 Euston Road,
> London, NW1 2BE.
>

RE: [users@httpd] query regarding httpd server [EXT]

Posted by James Smith <js...@sanger.ac.uk>.

You can add:

Header always set X-XSS-Protection "1;  mode=block"

which will help – but the rest you need to look at the way you code your pages.

Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks

Remembering that XSS is often a vector for other attacks.

From: Thejas Hl <th...@gmail.com>
Sent: 16 July 2021 06:31
To: users@httpd.apache.org
Subject: [users@httpd] query regarding httpd server [EXT]

Hello team,
            Is xss attack internally taken care by httpd apache server if yes kindly share the steps to activate for protection against such attack.

Thanks and regards
tej




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.