The recommended value for x-xss-protection is now 0
The script will now recommend x-xss-protection is set to 0, in line with the recommendation made by owasp. https://owasp.org/www-project-secure-headers/#x-xss-protection
This commit is contained in:
Jonathan Hodgson
parent
ce9f661506
commit
4d99c42607
1 changed files with 7 additions and 5 deletions
|
|
@ -110,14 +110,16 @@ test_x-powered-by(){
|
||||||
test_x-xss-protection(){
|
test_x-xss-protection(){
|
||||||
local value
|
local value
|
||||||
value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )"
|
value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )"
|
||||||
if [ "$value" = "1" ]; then
|
if [ "$value" = "0" ]; then
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
echo "X-XSS-Protection" | drawInBox
|
echo "X-XSS-Protection" | drawInBox
|
||||||
wecho -e "The X-XSS-Protection header asks browsers to try and prevent \
|
wecho -e "The X-XSS-Protection header used to ask browsers to try and use \
|
||||||
reflected cross site scripting attacks. It has been replaced in modern browsers \
|
internal heuristics to prevent reflected XSS attacks. It has been depreciated in all \
|
||||||
by the content-security-policy although should still be included for the sake \
|
modern browsers that used to implement it.
|
||||||
of old browsers\n\n"
|
|
||||||
|
OWASP now suggests setting it to 0.
|
||||||
|
https://owasp.org/www-project-secure-headers/#x-xss-protection\n\n"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue