You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by James Smith <js...@sanger.ac.uk> on 2021/07/16 07:20:34 UTC

RE: [users@httpd] query regarding httpd server [EXT]

You can add:

Header always set X-XSS-Protection "1;  mode=block"

which will help – but the rest you need to look at the way you code your pages.

Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks

Remembering that XSS is often a vector for other attacks.

From: Thejas Hl <th...@gmail.com>
Sent: 16 July 2021 06:31
To: users@httpd.apache.org
Subject: [users@httpd] query regarding httpd server [EXT]

Hello team,
            Is xss attack internally taken care by httpd apache server if yes kindly share the steps to activate for protection against such attack.

Thanks and regards
tej




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] query regarding httpd server [EXT]

Posted by Jim Albert <ji...@netrition.com>.

You probably want to read some good information on XSS such as:
https://owasp.org/www-community/attacks/xss/

Jim

On 7/19/2021 5:27 AM, Jim Albert wrote:
> X-XSS-Protection is just an HTTPD response header that instructs the 
> browsers that respect the header to not make a request from the 
> content of the page that appear to be an XSS attack.
>
> Based on the page below, I don't think X-XSS-Protection offers much.
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
>
> XSS really needs to be addressed at the point where content is created 
> particularly if your concern is responding to security scan results. 
> A  Content Security Policy offers better protection, but that still 
> won't get you passed a security scan where XSS vulnerabilities exist 
> nor should it. Per the previous reply, "Defensive code" is the best 
> solution.
>
> Jim
>
> On 7/19/2021 2:04 AM, Thejas Hl wrote:
>> hi ,
>>     thanks for your email,
>>          Is it possible the server is filtering xss attacks 
>> from browser to server request(with header= X-XSS-Protection: "1;  
>> mode=block" ), if that then kindly provide the steps for the same.
>>
>> regards
>> Thejas
>>
>>
>> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk 
>> <ma...@sanger.ac.uk>> wrote:
>>
>>     You can add:
>>
>>     Header always set X-XSS-Protection "1;  mode=block"
>>
>>     which will help – but the rest you need to look at the way you
>>     code your pages.
>>
>>     Then you can look at
>>     (1) defensive code
>>     (2) Content-Security-Policy header
>>     (3) Specific rules in Apache to mitigate attacks
>>
>>     Remembering that XSS is often a vector for other attacks.
>>
>>     *From:*Thejas Hl <thejashl013@gmail.com
>>     <ma...@gmail.com>>
>>     *Sent:* 16 July 2021 06:31
>>     *To:* users@httpd.apache.org <ma...@httpd.apache.org>
>>     *Subject:* [users@httpd] query regarding httpd server [EXT]
>>
>>     Hello team,
>>
>>                 Is xss attack internally taken care by httpd apache
>>     server if yes kindly share the steps to activate for protection
>>     against such attack.
>>
>>     Thanks and regards
>>
>>     tej
>>
>>     -- The Wellcome Sanger Institute is operated by Genome Research
>>     Limited, a charity registered in England with number 1021457 and
>>     a company registered in England with number 2742969, whose
>>     registered office is 215 Euston Road, London, NW1 2BE.
>>
>
>

Re: [users@httpd] query regarding httpd server [EXT]

Posted by Jim Albert <ji...@netrition.com>.

X-XSS-Protection is just an HTTPD response header that instructs the 
browsers that respect the header to not make a request from the content 
of the page that appear to be an XSS attack.

Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

XSS really needs to be addressed at the point where content is created 
particularly if your concern is responding to security scan results. A  
Content Security Policy offers better protection, but that still won't 
get you passed a security scan where XSS vulnerabilities exist nor 
should it. Per the previous reply, "Defensive code" is the best solution.

Jim

On 7/19/2021 2:04 AM, Thejas Hl wrote:
> hi ,
>     thanks for your email,
>          Is it possible the server is filtering xss attacks 
> from browser to server request(with header= X-XSS-Protection: "1;  
> mode=block" ), if that then kindly  provide the steps for the same.
>
> regards
> Thejas
>
>
> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk 
> <ma...@sanger.ac.uk>> wrote:
>
>     You can add:
>
>     Header always set X-XSS-Protection "1;  mode=block"
>
>     which will help – but the rest you need to look at the way you
>     code your pages.
>
>     Then you can look at
>     (1) defensive code
>     (2) Content-Security-Policy header
>     (3) Specific rules in Apache to mitigate attacks
>
>     Remembering that XSS is often a vector for other attacks.
>
>     *From:*Thejas Hl <thejashl013@gmail.com
>     <ma...@gmail.com>>
>     *Sent:* 16 July 2021 06:31
>     *To:* users@httpd.apache.org <ma...@httpd.apache.org>
>     *Subject:* [users@httpd] query regarding httpd server [EXT]
>
>     Hello team,
>
>                 Is xss attack internally taken care by httpd apache
>     server if yes kindly share the steps to activate for protection
>     against such attack.
>
>     Thanks and regards
>
>     tej
>
>     -- The Wellcome Sanger Institute is operated by Genome Research
>     Limited, a charity registered in England with number 1021457 and a
>     company registered in England with number 2742969, whose
>     registered office is 215 Euston Road, London, NW1 2BE.
>

Re: [users@httpd] query regarding httpd server [EXT]

Posted by Thejas Hl <th...@gmail.com>.

hi ,
    thanks for your email,
         Is it possible the server is filtering xss attacks from browser to
server request(with header= X-XSS-Protection: "1;  mode=block" ), if that
then kindly  provide the steps for the same.

regards
Thejas


On Fri, 16 Jul 2021 at 12:50, James Smith <js...@sanger.ac.uk> wrote:

> You can add:
>
> Header always set X-XSS-Protection "1;  mode=block"
>
> which will help – but the rest you need to look at the way you code your
> pages.
>
> Then you can look at
> (1) defensive code
> (2) Content-Security-Policy header
> (3) Specific rules in Apache to mitigate attacks
>
> Remembering that XSS is often a vector for other attacks.
>
>
>
> *From:* Thejas Hl <th...@gmail.com>
> *Sent:* 16 July 2021 06:31
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] query regarding httpd server [EXT]
>
>
>
> Hello team,
>
>             Is xss attack internally taken care by httpd apache server if
> yes kindly share the steps to activate for protection against such attack.
>
>
>
> Thanks and regards
>
> tej
>
>
> -- The Wellcome Sanger Institute is operated by Genome Research Limited, a
> charity registered in England with number 1021457 and a company registered
> in England with number 2742969, whose registered office is 215 Euston Road,
> London, NW1 2BE.
>