Http X Xss Protection Header Deprecated

Description

Detects usage of the deprecated X-XSS-Protection HTTP header when set to "1". This legacy header is considered obsolete and potentially dangerous as it can be exploited in older browsers. Modern applications should use Content Security Policy (CSP) instead for XSS protection.

Weakness:

135 - Insecure or unset HTTP headers - X-XSS Protection

Category: Protocol Manipulation

Detection Strategy

• Check if the HTTP response contains an X-XSS-Protection header

• Verify if the header value is set to '1'

• Report a vulnerability if these conditions are met since this indicates use of an obsolete security control

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.