Typescript X Xss Protection Header Set
Description
Detects insecurely configured X-XSS-Protection HTTP headers in TypeScript code. The X-XSS-Protection header, while legacy, can create security risks if set incorrectly, potentially enabling rather than preventing XSS attacks in older browsers that still support this header.
Detection Strategy
• Check for HTTP header configurations in the code where X-XSS-Protection is being set
• Identify instances where the X-XSS-Protection header value is set to insecure values like '0' or missing mode=block directive
• Flag header configurations that could weaken browser XSS protections or create false sense of security
Vulnerable code example
import { HttpHeaders } from '@angular/common/http';
export class SecurityService {
createHeaders() {
// Vulnerable: Setting X-XSS-Protection to unsafe value instead of '1; mode=block'
const headers = new HttpHeaders({
'Content-Type': 'application/json',
'X-XSS-Protection': 'anything'...✅ Secure code example
import { HttpHeaders } from '@angular/common/http';
export class SecurityService {
createHeaders() {
// Secure: Set X-XSS-Protection with proper value to block XSS attacks
const headers = new HttpHeaders({
'Content-Type': 'application/json',
'X-XSS-Protection': '1; mode=block'...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.