HTTP Header Security

The HTTP Header Security mechanism allows you to add security-related response headers which enable browser-side security mechanisms.

XSS Protection

If the XSS Protection header is enabled some cross-site scripting (XSS) attacks are detected, and the malicious parts of the page are either sanitized, or the rendering of the page is blocked entirely.

Where to Configure?

Choose a container from the list and learn where to configure the HTTP Security Headers:

How to Configure?

The following table shows the possible configuration options and the default behavior:

Name Attribute Configuration Default
X-XSS-Protection xssProtectionOption The allowed set of values:
  • BLOCK: If the browser detects a cross-site scripting attack, the page is blocked completely
  • SANITIZE: If the browser detects a cross-site scripting attack, the page is sanitized from suspicious parts (value 0)
BLOCK
xssProtectionDisabled The header can be entirely disabled if set to true.
Allowed set of values is true and false.
false
xssProtectionValue A custom value for the header can be specified. 1; mode=block

For further reading on how the XSS protection header works in detail, please see Mozillas MDN Web Docs.

On this Page: