The IE and Chrome comes up with a built-in XSS prevention mechanism with X-XSS header. But in order to use this we need to enable this in our Web Server or in our Web applications.
IF this is enabled in the server the request header would look like this.
If your Web app is an ASP.Net MVC application , it is very easy to enable using the web.config file.
All you need to do is add a Custom Header as in the following config entry.
<httpprotocol>
<customheaders>
<remove name="X-Powered-By">
<add name="X-XSS-Protection" value="1; mode=block">
</add></remove>
</customheaders>
</httpprotocol>
You can Add this in the IIS as well into the HTTP Response headers section.
If you are using Apache Web Server all you need to do is add the following line to your .htaccess file.
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
No comments:
Post a Comment