Security Hub

Bring your software development workflows to security

logo-sec-header

XSS browser protection

Signals & Triggers

On request

Actions

  • Set the http header

Details

Cross-site scripting (XSS) is one of the most common and dangerous type attacks on the web, as it is often used to inject malicious code into your app to extract data about a logged in user, or take advantage of their user privileges to perform actions they shouldn’t be able to perform.

Setting the X-XSS-Protection header authorizes the client browsers to block attackers from reflected XSS attacks. The X-XSS-Protection header - set on the server side - highly improves the protection of web applications against cross-site scripting (XSS).

When a XSS attack is detected, you can either choose to sanitize the page by removing the unsafe parts (default behaviour when set); or prevent the browser from rendering the page (mode block).

While we highly recommand to setup a Content Security Policy (CSP) to prevent XSS to happen, this header is a good and simple first step.

Advanced details

This plugin can automatically set the X-XSS-Protection header to the configured value in HTTP responses.

By instrumenting the HTTP server running in your application, Sqreen can inject the right value at runtime without requiring any code change nor deployment.

The value and the plugin status can be changed anytime from the plugin page.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen

Signals

No data collected


Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" >> config/sqreen.yml

$ curl -s https://8dc0b36f0ea6f2f21b721765e10a7e02768cd1825b4551f4:@packagecloud.io/install/repositories/sqreen/sqreen/script.deb.sh | bash

$ apt-get install --no-install-recommends sqreen-agent sqreen-php-extension

$ /usr/lib/sqreen/sqreen-installer config {your token}

$ pip install sqreen

$ echo -e '[sqreen]\ntoken: your token' >> sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-latest-all.jar -o sqreen-latest-all.jar

 

// Next, edit the JVM startup file:

-javaagent:/path/to/sqreen-agent.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 7 days · No credit card required Get started Request demo