Defending against web attacks using HTTP Headers

Source: Internet
Author: User
Tags openssl blank page

Load the page again and a warning box pops up

Do the same test in Firefox and execute it successfully.

Now change the value of the x-xss-protection header to 1, and try again.

Header ("X-xss-protection:1");

You can easily realize that you have successfully opened the x-xss-protection.

http/1.1 OK

Date:sun, APR 2015 14:54:42 GMT

Server:apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 python/2.7.8 php/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 perl/v5.20.0

x-powered-by:php/5.6.2

Expires:thu, Nov 1981 08:52:00 GMT

Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0

Pragma:no-cache

set-cookie:phpsessid=8dfb86b13ec9750d1f1afdfc004f5042; path=/

X-xss-protection:1

content-length:820

Keep-alive:timeout=5, max=100

Connection:keep-alive

content-type:text/html; Charset=utf-8

JavaScript is executed again on the vulnerability page and the script does not execute. Go to the chrome console and see what's going on.

From the console information above, we can tell that the script has not been executed.

Header ("X-xss-protection:1");

The above header does not add other parameters, just prevents the script from executing.

We can add some other parameters, such as:

Header ("X-xss-protection:1; Mode=block ");

When you test again, the browser prevents the script from executing and returns a blank page.

The following HTTP header information

http/1.1 OK

Date:mon APR 2015 09:59:22 GMT

Server:apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 python/2.7.8 php/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 perl/v5.20.0

x-powered-by:php/5.6.2

Expires:thu, Nov 1981 08:52:00 GMT

Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0

Pragma:no-cache

set-cookie:phpsessid=729f2f716310ccfe353c81ced1602cf0; path=/

X-xss-protection:1; Mode=block

content-length:846

Keep-alive:timeout=5, max=100

Connection:keep-alive

content-type:text/html; Charset=utf-8

Although it can be implemented perfectly in some mainstream browsers (Ie,chrome,safari). But this header is not supported in Firefox, so we can still see the pop-up warning box

Summarize

Therefore, the x-xss-protection head should be used for deep defense. Because it does not fully protect the Web site, developers must ensure that they have some other means of protection.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.