April 12, 2025 02:35:55 AM Menu
» » » » XSS Protection

What is XSS protection ?
XSS mean Cross-site scripting is a type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. More information about XSS you can read here.

Protect your site from cross site scripting using htaccess.

 # Don't allow any pages to be framed - Defends against CSRF attack  
 # You can use DENY, ORIGIN, SAMEORIGIN or *  
 Header set X-Frame-Options SAMEORIGIN  
 # Turn on IE8-IE9 XSS prevention tools  
 Header set X-XSS-Protection "1; mode=block"  
 # Only allow JavaScript from the same domain and domain you trusted.  
 # Big thank to facebook.  
 Header set X-Content-Security-Policy "allow *.ezadblog.my script-src http://*.recaptcha.net http://*.scorecardresearch.com https://*.scorecardresearch.com https://*.recaptcha.net https://*.facebook.com http://*.fbcdn.net https://*.fbcdn.net http://*.facebook.com http://*.facebook.net https://*.facebook.net http://*.linkedin.com http://*.akamaihd.net https://*.akamaihd.net https://*.linkedin.com http://*.disqus.com https://*.disqus.com http://*.twitter.com https://*.twitter.com;options inline-script eval-script;"  
 # prevent mime based attacks  
 Header set X-Content-Type-Options "nosniff"  
 # For site performance  
 # You can use this or increase cache timeout.  
 Header unset ETag  
 FileETag None  
 # Don't send out the Server header. This way no one knows what  
 # version of Apache and PHP I am using and try to exploit it.  
 ServerSignature Off 
 Header set Access-Control-Allow-Origin "SAMEORIGIN"  
 Header set X-Content-Encoded-By "EzadNet"  
 # Make your cache private..NOT RECOMMENDED.  
 Header set Cache-Control "private"  
 # Old vervion ie compatibility..NOT RECOMMENDED.  
 Header set X-UA-Compatible "IE=EmulateIE7"
01 Mar 2013
Posted by Mohd nor rizad
Labels: , ,
at Friday, March 01, 2013
Subscribe to: Post Comments (Atom)

Recent Comments

 
Top