Defending against web attacks using HTTP Headers

Load the page again and a warning box pops up

Do the same test in Firefox and execute it successfully.

Now change the value of the x-xss-protection header to 1, and try again.

Header ("X-xss-protection:1");

You can easily realize that you have successfully opened the x-xss-protection.

http/1.1 OK

Date:sun, APR 2015 14:54:42 GMT

Server:apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 python/2.7.8 php/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 perl/v5.20.0

x-powered-by:php/5.6.2

Expires:thu, Nov 1981 08:52:00 GMT

Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0

Pragma:no-cache

set-cookie:phpsessid=8dfb86b13ec9750d1f1afdfc004f5042; path=/

X-xss-protection:1

content-length:820

Keep-alive:timeout=5, max=100

Connection:keep-alive

content-type:text/html; Charset=utf-8

JavaScript is executed again on the vulnerability page and the script does not execute. Go to the chrome console and see what's going on.

From the console information above, we can tell that the script has not been executed.

Header ("X-xss-protection:1");

The above header does not add other parameters, just prevents the script from executing.

We can add some other parameters, such as:

Header ("X-xss-protection:1; Mode=block ");

When you test again, the browser prevents the script from executing and returns a blank page.

The following HTTP header information

http/1.1 OK

Date:mon APR 2015 09:59:22 GMT

Server:apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 python/2.7.8 php/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 perl/v5.20.0

x-powered-by:php/5.6.2

Expires:thu, Nov 1981 08:52:00 GMT

Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0

Pragma:no-cache

set-cookie:phpsessid=729f2f716310ccfe353c81ced1602cf0; path=/

X-xss-protection:1; Mode=block

content-length:846

Keep-alive:timeout=5, max=100

Connection:keep-alive

content-type:text/html; Charset=utf-8

Although it can be implemented perfectly in some mainstream browsers (Ie,chrome,safari). But this header is not supported in Firefox, so we can still see the pop-up warning box

Summarize

Therefore, the x-xss-protection head should be used for deep defense. Because it does not fully protect the Web site, developers must ensure that they have some other means of protection.