漏洞修复：HTML5: Cross-Site Scripting Protection

描述

X-XSS-Protection HTTP response header enables developers and security architects to manage browser protection against reflected cross-site scripting. The mechanism is also known as the XSS Auditor in Chrome and the XSS filter in Internet Explorer. In modern browsers, the Content-Security-Policy header can provide better protection against XSS and setting X-XSS -Protection might be redundant. However, this header can reduce the risk of reflected XSS attacks in earlier browsers that do not support CSP. This header can be set to one of three possible values: 0, 1, or 1; mode=block . A value of 0 disables the protection. A value of 1 is the default behaviour in modern browsers that enables the protection in filter or replacement mode. For example, IE replaces JavaScript keywords such as <script> with <scr#pt> to render injected string ineffective. The value of 1 ; mode=block instructs browsers to block the response from rendering in the browser. Reports of multiple exploits that leverage false positives from default behaviour that filters or replaces JavaScript injection string within the response r eturned from server. Therefore, the current recommendation is to set the header in block mode.

解决方案

在server中添加
add_header X-XSS-Protection “1; mode=block”;
例如：

server{
    add_header X-XSS-Protection "1; mode=block";
}
1
2
3

说明

该响应头是用于防范及过滤 XSS 的。可用的几个指令如下：

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block

0，禁用 XSS 过滤
1，开启 XSS 过滤
1; mode=block，开启 XSS 过滤，并且若检查到 XSS 攻击，停止渲染页面。

参考

https://vulncat.fortify.com/en/detail?id=desc.configuration.dotnet.html5_xss_protection

https://learnku.com/articles/9485/the-best-nginx-configuration-for-improving-security