X-Xss-Protection¶
备注
当检测到跨站脚本攻击 (XSS (en-US)) 时,浏览器将停止加载页面。若网站设置了良好的 Content-Security-Policy 来禁用内联 JavaScript (‘unsafe-inline’),现代浏览器不太需要这些保护, 但其仍然可以为尚不支持 CSP 的旧版浏览器的用户提供保护。
Syntax:
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
0:
Disables XSS filtering.
1:
Enables XSS filtering (usually default in browsers).
If a cross-site scripting attack is detected,
the browser will sanitize the page (remove the unsafe parts).
1; mode=block:
Enables XSS filtering.
Rather than sanitizing the page,
the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-URI> (Chromium only):
Enables XSS filtering.
If a cross-site scripting attack is detected,
the browser will sanitize the page and report the violation.
This uses the functionality of the CSP report-uri directive to send a report.
Example¶
Block pages from loading when they detect reflected XSS attacks:
X-XSS-Protection: 1; mode=block
PHP:
header("X-XSS-Protection: 1; mode=block");
Nginx:
add_header "X-XSS-Protection" "1; mode=block";