Bring your software development workflows to security
Cross-site scripting (XSS) is one of the most common and dangerous type attacks on the web, as it is often used to inject malicious code into your app to extract data about a logged in user, or take advantage of their user privileges to perform actions they shouldn’t be able to perform.
Setting the X-XSS-Protection header authorizes the client browsers to block attackers from reflected XSS attacks. The X-XSS-Protection header - set on the server side - highly improves the protection of web applications against cross-site scripting (XSS).
When a XSS attack is detected, you can either choose to sanitize the page by removing the unsafe parts (default behaviour when set); or prevent the browser from rendering the page (
While we highly recommand to setup a Content Security Policy (CSP) to prevent XSS to happen, this header is a good and simple first step.
This plugin can automatically set the
X-XSS-Protection header to the configured value in HTTP responses.
By instrumenting the HTTP server running in your application, Sqreen can inject the right value at runtime without requiring any code change nor deployment.
The value and the plugin status can be changed anytime from the plugin page.
No data collected