You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Thejas Hl <th...@gmail.com> on 2021/07/16 05:30:39 UTC
[users@httpd] query regarding httpd server
Hello team,
Is xss attack internally taken care by httpd apache server if
yes kindly share the steps to activate for protection against such attack.
Thanks and regards
tej
Re: [users@httpd] query regarding httpd server [EXT]
Posted by Jim Albert <ji...@netrition.com>.
You probably want to read some good information on XSS such as:
https://owasp.org/www-community/attacks/xss/
Jim
On 7/19/2021 5:27 AM, Jim Albert wrote:
> X-XSS-Protection is just an HTTPD response header that instructs the
> browsers that respect the header to not make a request from the
> content of the page that appear to be an XSS attack.
>
> Based on the page below, I don't think X-XSS-Protection offers much.
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
>
> XSS really needs to be addressed at the point where content is created
> particularly if your concern is responding to security scan results.
> A Content Security Policy offers better protection, but that still
> won't get you passed a security scan where XSS vulnerabilities exist
> nor should it. Per the previous reply, "Defensive code" is the best
> solution.
>
> Jim
>
> On 7/19/2021 2:04 AM, Thejas Hl wrote:
>> hi ,
>> thanks for your email,
>> Is it possible the server is filtering xss attacks
>> from browser to server request(with header= X-XSS-Protection: "1;
>> mode=block" ), if that then kindly provide the steps for the same.
>>
>> regards
>> Thejas
>>
>>
>> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk
>> <ma...@sanger.ac.uk>> wrote:
>>
>> You can add:
>>
>> Header always set X-XSS-Protection "1; mode=block"
>>
>> which will help – but the rest you need to look at the way you
>> code your pages.
>>
>> Then you can look at
>> (1) defensive code
>> (2) Content-Security-Policy header
>> (3) Specific rules in Apache to mitigate attacks
>>
>> Remembering that XSS is often a vector for other attacks.
>>
>> *From:*Thejas Hl <thejashl013@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 16 July 2021 06:31
>> *To:* users@httpd.apache.org <ma...@httpd.apache.org>
>> *Subject:* [users@httpd] query regarding httpd server [EXT]
>>
>> Hello team,
>>
>> Is xss attack internally taken care by httpd apache
>> server if yes kindly share the steps to activate for protection
>> against such attack.
>>
>> Thanks and regards
>>
>> tej
>>
>> -- The Wellcome Sanger Institute is operated by Genome Research
>> Limited, a charity registered in England with number 1021457 and
>> a company registered in England with number 2742969, whose
>> registered office is 215 Euston Road, London, NW1 2BE.
>>
>
>
Re: [users@httpd] query regarding httpd server [EXT]
Posted by Jim Albert <ji...@netrition.com>.
X-XSS-Protection is just an HTTPD response header that instructs the
browsers that respect the header to not make a request from the content
of the page that appear to be an XSS attack.
Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
XSS really needs to be addressed at the point where content is created
particularly if your concern is responding to security scan results. A
Content Security Policy offers better protection, but that still won't
get you passed a security scan where XSS vulnerabilities exist nor
should it. Per the previous reply, "Defensive code" is the best solution.
Jim
On 7/19/2021 2:04 AM, Thejas Hl wrote:
> hi ,
> thanks for your email,
> Is it possible the server is filtering xss attacks
> from browser to server request(with header= X-XSS-Protection: "1;
> mode=block" ), if that then kindly provide the steps for the same.
>
> regards
> Thejas
>
>
> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk
> <ma...@sanger.ac.uk>> wrote:
>
> You can add:
>
> Header always set X-XSS-Protection "1; mode=block"
>
> which will help – but the rest you need to look at the way you
> code your pages.
>
> Then you can look at
> (1) defensive code
> (2) Content-Security-Policy header
> (3) Specific rules in Apache to mitigate attacks
>
> Remembering that XSS is often a vector for other attacks.
>
> *From:*Thejas Hl <thejashl013@gmail.com
> <ma...@gmail.com>>
> *Sent:* 16 July 2021 06:31
> *To:* users@httpd.apache.org <ma...@httpd.apache.org>
> *Subject:* [users@httpd] query regarding httpd server [EXT]
>
> Hello team,
>
> Is xss attack internally taken care by httpd apache
> server if yes kindly share the steps to activate for protection
> against such attack.
>
> Thanks and regards
>
> tej
>
> -- The Wellcome Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose
> registered office is 215 Euston Road, London, NW1 2BE.
>
Re: [users@httpd] query regarding httpd server [EXT]
Posted by Thejas Hl <th...@gmail.com>.
hi ,
thanks for your email,
Is it possible the server is filtering xss attacks from browser to
server request(with header= X-XSS-Protection: "1; mode=block" ), if that
then kindly provide the steps for the same.
regards
Thejas
On Fri, 16 Jul 2021 at 12:50, James Smith <js...@sanger.ac.uk> wrote:
> You can add:
>
> Header always set X-XSS-Protection "1; mode=block"
>
> which will help – but the rest you need to look at the way you code your
> pages.
>
> Then you can look at
> (1) defensive code
> (2) Content-Security-Policy header
> (3) Specific rules in Apache to mitigate attacks
>
> Remembering that XSS is often a vector for other attacks.
>
>
>
> *From:* Thejas Hl <th...@gmail.com>
> *Sent:* 16 July 2021 06:31
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] query regarding httpd server [EXT]
>
>
>
> Hello team,
>
> Is xss attack internally taken care by httpd apache server if
> yes kindly share the steps to activate for protection against such attack.
>
>
>
> Thanks and regards
>
> tej
>
>
> -- The Wellcome Sanger Institute is operated by Genome Research Limited, a
> charity registered in England with number 1021457 and a company registered
> in England with number 2742969, whose registered office is 215 Euston Road,
> London, NW1 2BE.
>
RE: [users@httpd] query regarding httpd server [EXT]
Posted by James Smith <js...@sanger.ac.uk>.
You can add:
Header always set X-XSS-Protection "1; mode=block"
which will help – but the rest you need to look at the way you code your pages.
Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks
Remembering that XSS is often a vector for other attacks.
From: Thejas Hl <th...@gmail.com>
Sent: 16 July 2021 06:31
To: users@httpd.apache.org
Subject: [users@httpd] query regarding httpd server [EXT]
Hello team,
Is xss attack internally taken care by httpd apache server if yes kindly share the steps to activate for protection against such attack.
Thanks and regards
tej
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.