The recommended value for x-xss-protection is now 0

The script will now recommend x-xss-protection is set to 0, in line with
the recommendation made by owasp.

https://owasp.org/www-project-secure-headers/#x-xss-protection
master
Jonathan Hodgson 4 years ago
parent ce9f661506
commit 4d99c42607
  1. 12
      bin/.bin/webtest/analyse-headers

@ -110,14 +110,16 @@ test_x-powered-by(){
test_x-xss-protection(){ test_x-xss-protection(){
local value local value
value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )" value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )"
if [ "$value" = "1" ]; then if [ "$value" = "0" ]; then
return 0 return 0
else else
echo "X-XSS-Protection" | drawInBox echo "X-XSS-Protection" | drawInBox
wecho -e "The X-XSS-Protection header asks browsers to try and prevent \ wecho -e "The X-XSS-Protection header used to ask browsers to try and use \
reflected cross site scripting attacks. It has been replaced in modern browsers \ internal heuristics to prevent reflected XSS attacks. It has been depreciated in all \
by the content-security-policy although should still be included for the sake \ modern browsers that used to implement it.
of old browsers\n\n"
OWASP now suggests setting it to 0.
https://owasp.org/www-project-secure-headers/#x-xss-protection\n\n"
return 1 return 1
fi fi
} }

Loading…
Cancel
Save