From 4d99c4260732ae4a6d59dc8868bcf24129cafd00 Mon Sep 17 00:00:00 2001 From: Jonathan Hodgson Date: Wed, 24 Mar 2021 13:38:38 +0000 Subject: [PATCH] The recommended value for x-xss-protection is now 0 The script will now recommend x-xss-protection is set to 0, in line with the recommendation made by owasp. https://owasp.org/www-project-secure-headers/#x-xss-protection --- bin/.bin/webtest/analyse-headers | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/bin/.bin/webtest/analyse-headers b/bin/.bin/webtest/analyse-headers index 21736725..3e6a5603 100755 --- a/bin/.bin/webtest/analyse-headers +++ b/bin/.bin/webtest/analyse-headers @@ -110,14 +110,16 @@ test_x-powered-by(){ test_x-xss-protection(){ local value value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )" - if [ "$value" = "1" ]; then + if [ "$value" = "0" ]; then return 0 else echo "X-XSS-Protection" | drawInBox - wecho -e "The X-XSS-Protection header asks browsers to try and prevent \ -reflected cross site scripting attacks. It has been replaced in modern browsers \ -by the content-security-policy although should still be included for the sake \ -of old browsers\n\n" + wecho -e "The X-XSS-Protection header used to ask browsers to try and use \ +internal heuristics to prevent reflected XSS attacks. It has been depreciated in all \ +modern browsers that used to implement it. + +OWASP now suggests setting it to 0. +https://owasp.org/www-project-secure-headers/#x-xss-protection\n\n" return 1 fi }