Insecure or unset HTTP headers

Insecure or unset HTTP headers - X-XSS Protection

Need

To prevent the increase in the chance of exploiting a stored XSS

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications in Elixir

• Usage of X-XSS Protection header management for preventing cross-site scripting attacks

Description

1. Non compliant code

defmodule Vulnerable do
  use Plug.Router
  plug :put_secure_browser_headers

  plug :match
  plug :dispatch

    conn...

In this Elixir code snippet, the application is using the deprecated X-XSS Protection header.

2. Steps

• Disable the X-XSS Protection filter in the server responses.

• Instead, define security policies using CSP (Content Security Policy) header.

3. Secure code example

defmodule Secure do
  use Plug.Router
  plug :put_secure_browser_headers

  plug :match
  plug :dispatch

    conn...

In this Elixir code snippet, the application is using CSP (Content Security Policy) header instead of the deprecated X-XSS Protection header.

References

On this page