Missing Security Header(x-xss-protection) Missing HTTP Headers
- missing X-XSS-Protection header which means that this website could be vulnerable to Cross-site Scripting (XSS) attacks.
- Apache (httpd.conf & ssl.conf)
- Enable "LoadModule headers_module modules/mod_headers.so"
***********************************************
LoadModule headers_module modules/mod_headers.so
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
***********************************************
OR
***********************************************
LoadModule headers_module modules/mod_headers.so
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
***********************************************
To test:
curl –I http://ipAddressOrHostName:port
Clickjacking
- Clickjacking is also called an iframe window trick, the attacker can get the data while the user clicks on some buttons or links.
- Apache (httpd.conf & ssl.conf)
- Enable "LoadModule headers_module modules/mod_headers.so"
***********************************************
LoadModule headers_module modules/mod_headers.so
Header set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Apache (httpd.conf & ssl.conf)
***********************************************
To test: curl –I http://ipAddressOrHostName:port
Thanks 😊
No comments:
Post a Comment