Edit on Github

HTTP Header Security

The HTTP Header Security mechanism allows you to add security-related response headers which enable browser-side security mechanisms.

XSS Protection

If the XSS Protection header is enabled some cross-site scripting (XSS) attacks are detected, and the malicious parts of the page are either sanitized, or the rendering of the page is blocked entirely.

Where to Configure?

Choose a container from the list and learn where to configure the HTTP Security Headers:

How to Configure?

The following table shows the possible configuration options and the default behavior:

Name	Attribute	Configuration	Default
`X-XSS-Protection`	`xssProtectionOption`	The allowed set of values: `BLOCK`: If the browser detects a cross-site scripting attack, the page is blocked completely `SANITIZE`: If the browser detects a cross-site scripting attack, the page is sanitized from suspicious parts (value `0`)	`BLOCK`
	`xssProtectionDisabled`	The header can be entirely disabled if set to `true`. Allowed set of values is `true` and `false`.	`false`
	`xssProtectionValue`	A custom value for the header can be specified.	`1; mode=block`

For further reading on how the XSS protection header works in detail, please see Mozillas MDN Web Docs.

Options

HTTP Header Security

XSS Protection

Where to Configure?

How to Configure?

On this Page: