This article is a part of our Web Security Knowledge Base (back to index)
Why Web Browser XSS Protection Not Enabled can be dangerous
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the ‘X-XSS-Protection’ HTTP response header on the web server. Hackers use XSS attacks to trick trusted websites into delivering malicious content.
How to fix Web Browser XSS Protection Not Enabled
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to ‘1’.
The following values would attempt to enable Web Browser XSS Protection:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
How does ScanRepeat report Web Browser XSS Protection Not Enabled
ScanRepeat analyzes HTTP responses looking for ‘X-XSS-Protection’ header and checks if its value is correctly enabling web browser XSS protection. Note that ScanRepeat raises this alert if the response body can potentially contain an XSS payload (with a text-based content type, with a non-zero length).
Would you like to test your application now against this problem? Sign up for our free trialScan Your Web App Now