Insecure or unset HTTP headers - X-XSS Protection
Need
Implementation of secure and properly configured HTTP headers
Context
- Usage of Java for building cross-platform applications
- Usage of HttpServletResponse for handling HTTP responses in Java Servlets
Description
Non compliant code
import javax.servlet.http.HttpServletResponse;
public void setHeaders(HttpServletResponse response) {
response.setHeader("X-XSS-Protection", "1; mode=block");
}
The code above represents a servlet that sets HTTP headers for a response. The method setHeaders sets the X-XSS-Protection header to 1; mode=block.
The X-XSS-Protection header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although this header is deprecated, it was used to prevent some types of XSS attacks before Content Security Policy (CSP) was widely adopted.
Setting the X-XSS-Protection header to 1; mode=block enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
However, due to some security issues and inconsistencies between how this header is implemented in different browsers, it is no longer recommended for use. Instead, a Content Security Policy header should be used to prevent XSS attacks.
The use of the X-XSS-Protection header could lead to stored XSS vulnerabilities because it does not provide a strong enough protection, especially considering that it is not supported in all browsers. Therefore, relying on this header for XSS protection in your application could expose your users to security risks.
Steps
- Remove the use of the X-XSS-Protection header.
- Implement a Content Security Policy (CSP) to mitigate XSS attacks.
- Sanitize user input and output to prevent XSS vulnerabilities.
- Use a modern web application framework that provides built-in protection against XSS attacks.
- Regularly update and patch the application and its dependencies to ensure the latest security fixes are applied.
Compliant code
import javax.servlet.http.HttpServletResponse;
public void setHeaders(HttpServletResponse response) {
// Removed the deprecated X-XSS-Protection header
// response.setHeader("X-XSS-Protection", "1; mode=block");
// Implement a Content Security Policy (CSP)
response.setHeader("Content-Security-Policy", "default-src 'self'");
}
The original code was using the X-XSS-Protection header, which is now considered deprecated. This header was originally used to enable the cross-site scripting (XSS) filter built into most modern web browsers. However, it's no longer necessary or recommended to use this header because it can introduce additional security issues.
The updated code removes the X-XSS-Protection header and instead implements a Content Security Policy (CSP) using the Content-Security-Policy header. The CSP is a powerful security feature that helps to detect and mitigate certain types of attacks, including XSS and data injection attacks.
The CSP is configured to only allow resources from the same origin ('self') to be loaded. This is a common policy that can help to mitigate XSS attacks, but it may need to be adjusted depending on the specific needs of your application.
Please note that while the CSP is a powerful tool, it's not a silver bullet for XSS prevention. It's still important to sanitize user input and output, use a modern web application framework that provides built-in protection against XSS attacks, and regularly update and patch the application and its dependencies to ensure the latest security fixes are applied.