You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by James Smith <js...@sanger.ac.uk> on 2021/07/16 07:20:34 UTC
RE: [users@httpd] query regarding httpd server [EXT]
You can add:
Header always set X-XSS-Protection "1; mode=block"
which will help – but the rest you need to look at the way you code your pages.
Then you can look at
(1) defensive code
(2) Content-Security-Policy header
(3) Specific rules in Apache to mitigate attacks
Remembering that XSS is often a vector for other attacks.
From: Thejas Hl <th...@gmail.com>
Sent: 16 July 2021 06:31
To: users@httpd.apache.org
Subject: [users@httpd] query regarding httpd server [EXT]
Hello team,
Is xss attack internally taken care by httpd apache server if yes kindly share the steps to activate for protection against such attack.
Thanks and regards
tej
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
Re: [users@httpd] query regarding httpd server [EXT]
Posted by Jim Albert <ji...@netrition.com>.
You probably want to read some good information on XSS such as:
https://owasp.org/www-community/attacks/xss/
Jim
On 7/19/2021 5:27 AM, Jim Albert wrote:
> X-XSS-Protection is just an HTTPD response header that instructs the
> browsers that respect the header to not make a request from the
> content of the page that appear to be an XSS attack.
>
> Based on the page below, I don't think X-XSS-Protection offers much.
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
>
> XSS really needs to be addressed at the point where content is created
> particularly if your concern is responding to security scan results.
> A Content Security Policy offers better protection, but that still
> won't get you passed a security scan where XSS vulnerabilities exist
> nor should it. Per the previous reply, "Defensive code" is the best
> solution.
>
> Jim
>
> On 7/19/2021 2:04 AM, Thejas Hl wrote:
>> hi ,
>> thanks for your email,
>> Is it possible the server is filtering xss attacks
>> from browser to server request(with header= X-XSS-Protection: "1;
>> mode=block" ), if that then kindly provide the steps for the same.
>>
>> regards
>> Thejas
>>
>>
>> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk
>> <ma...@sanger.ac.uk>> wrote:
>>
>> You can add:
>>
>> Header always set X-XSS-Protection "1; mode=block"
>>
>> which will help – but the rest you need to look at the way you
>> code your pages.
>>
>> Then you can look at
>> (1) defensive code
>> (2) Content-Security-Policy header
>> (3) Specific rules in Apache to mitigate attacks
>>
>> Remembering that XSS is often a vector for other attacks.
>>
>> *From:*Thejas Hl <thejashl013@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 16 July 2021 06:31
>> *To:* users@httpd.apache.org <ma...@httpd.apache.org>
>> *Subject:* [users@httpd] query regarding httpd server [EXT]
>>
>> Hello team,
>>
>> Is xss attack internally taken care by httpd apache
>> server if yes kindly share the steps to activate for protection
>> against such attack.
>>
>> Thanks and regards
>>
>> tej
>>
>> -- The Wellcome Sanger Institute is operated by Genome Research
>> Limited, a charity registered in England with number 1021457 and
>> a company registered in England with number 2742969, whose
>> registered office is 215 Euston Road, London, NW1 2BE.
>>
>
>
Re: [users@httpd] query regarding httpd server [EXT]
Posted by Jim Albert <ji...@netrition.com>.
X-XSS-Protection is just an HTTPD response header that instructs the
browsers that respect the header to not make a request from the content
of the page that appear to be an XSS attack.
Based on the page below, I don't think X-XSS-Protection offers much.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
XSS really needs to be addressed at the point where content is created
particularly if your concern is responding to security scan results. A
Content Security Policy offers better protection, but that still won't
get you passed a security scan where XSS vulnerabilities exist nor
should it. Per the previous reply, "Defensive code" is the best solution.
Jim
On 7/19/2021 2:04 AM, Thejas Hl wrote:
> hi ,
> thanks for your email,
> Is it possible the server is filtering xss attacks
> from browser to server request(with header= X-XSS-Protection: "1;
> mode=block" ), if that then kindly provide the steps for the same.
>
> regards
> Thejas
>
>
> On Fri, 16 Jul 2021 at 12:50, James Smith <js5@sanger.ac.uk
> <ma...@sanger.ac.uk>> wrote:
>
> You can add:
>
> Header always set X-XSS-Protection "1; mode=block"
>
> which will help – but the rest you need to look at the way you
> code your pages.
>
> Then you can look at
> (1) defensive code
> (2) Content-Security-Policy header
> (3) Specific rules in Apache to mitigate attacks
>
> Remembering that XSS is often a vector for other attacks.
>
> *From:*Thejas Hl <thejashl013@gmail.com
> <ma...@gmail.com>>
> *Sent:* 16 July 2021 06:31
> *To:* users@httpd.apache.org <ma...@httpd.apache.org>
> *Subject:* [users@httpd] query regarding httpd server [EXT]
>
> Hello team,
>
> Is xss attack internally taken care by httpd apache
> server if yes kindly share the steps to activate for protection
> against such attack.
>
> Thanks and regards
>
> tej
>
> -- The Wellcome Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose
> registered office is 215 Euston Road, London, NW1 2BE.
>
Re: [users@httpd] query regarding httpd server [EXT]
Posted by Thejas Hl <th...@gmail.com>.
hi ,
thanks for your email,
Is it possible the server is filtering xss attacks from browser to
server request(with header= X-XSS-Protection: "1; mode=block" ), if that
then kindly provide the steps for the same.
regards
Thejas
On Fri, 16 Jul 2021 at 12:50, James Smith <js...@sanger.ac.uk> wrote:
> You can add:
>
> Header always set X-XSS-Protection "1; mode=block"
>
> which will help – but the rest you need to look at the way you code your
> pages.
>
> Then you can look at
> (1) defensive code
> (2) Content-Security-Policy header
> (3) Specific rules in Apache to mitigate attacks
>
> Remembering that XSS is often a vector for other attacks.
>
>
>
> *From:* Thejas Hl <th...@gmail.com>
> *Sent:* 16 July 2021 06:31
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] query regarding httpd server [EXT]
>
>
>
> Hello team,
>
> Is xss attack internally taken care by httpd apache server if
> yes kindly share the steps to activate for protection against such attack.
>
>
>
> Thanks and regards
>
> tej
>
>
> -- The Wellcome Sanger Institute is operated by Genome Research Limited, a
> charity registered in England with number 1021457 and a company registered
> in England with number 2742969, whose registered office is 215 Euston Road,
> London, NW1 2BE.
>