Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added X-Xss-Protection snippet #86

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ What we are doing here is mostly collecting useful snippets from all over the in
- [Password Protect a File or Several Files](#password-protect-a-file-or-several-files)
- [Block Visitors by Referrer](#block-visitors-by-referrer)
- [Prevent Framing the Site](#prevent-framing-the-site)
- [Help to Prevent Cross-Site Scripting](#help-to-prevent-cross-site-scripting)
- [Prevents Mime-Sniffing the Incorrect Content-Type](#prevents-mime-sniffing-the-incorrect-content-type)
- [Performance](#performance)
- [Compress Text Files](#compress-text-files)
- [Set Expires Headers](#set-expires-headers)
Expand Down Expand Up @@ -330,6 +332,20 @@ SetEnvIf Request_URI "/starry-night" allow_framing=true
Header set X-Frame-Options SAMEORIGIN env=!allow_framing
```

### Help to Prevent Cross-Site Scripting
This uses the built-in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit) to block the response if it detects an attack.
[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection)
``` apacheconf
Header always set X-Xss-Protection "1; mode=block"
```

### Prevents Mime-Sniffing the Incorrect Content-Type
This reduces the risk of a file, such as an cleverly-misnamed executable, being treated as a different content-type by the browser than the one being declared by the server. It also reduces exposure to drive-by downloads.
[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options)
``` apacheconf
Header always set X-Content-Type-Options "nosniff"
```

## Performance
### Compress Text Files
``` apacheconf
Expand Down