Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: X-XSS-Protection header? |
|
| Author |
|
mrdj1024
Joined: 03 Apr 2023
Posts: 69
Location: Bridgeton,NJ,USA
|
 Posted: Thu 07 Aug '25 22:39 Post subject: X-XSS-Protection header? |
 |
|
hi!
so im curious about the X-XSS-Protection header
i am seeing conflicting information on the internet,some sites say its important to use it while others say it can actually cause issues on certain browsers and is deprecated,should it be used or not? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7431
Location: EU, Germany, Next to Hamburg
|
| Posted: Wed 13 Aug '25 11:10 Post subject: |
|
|
You can and should set those headers. But you have to make sure that your content still works. Here is an example
| Code: |
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
# Header always set Expect-CT "max-age=86400, enforce"
Header always set Feature-Policy "geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'"
#Header always set Content-Security-Policy "default-src 'self'"
Header always set Content-Security-Policy "\
default-src 'self' 'unsafe-inline' data:;\
font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; \
style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
script-src 'self' 'unsafe-inline' 'unsafe-eval';"
Header always set Access-Control-Allow-Origin "*"
Header always set X-Content-Type-Options nosniff
</IfModule>
|
|
|
| Back to top |
|
|
|
|
|
|
