Configuring X-XSS-Protection¶
There are two configuration options
- policy can be set to :
- Disabled
- FilterDisabled
- FilterEnabled
- blockMode adds mode=block in the header, defaults to false
Configuration | Resulting header |
---|---|
policy=”Disabled” | None |
policy=”FilterDisabled” | X-XSS-Protection: 0 |
policy=”FilterEnabled” blockMode=”true” | X-XSS-Protection: 1; mode=block |
In web.config:
<x-XSS-Protection policy="FilterEnabled" blockMode="true"/>
<x-XSS-Protection policy="FilterDisabled" />
NWebsec.Owin (ASP.NET 4): Register the middleware in the OWIN startup class:
using NWebsec.Owin;
...
public void Configuration(IAppBuilder app)
{
app.UseXXssProtection(options => options.EnabledWithBlockMode());
}
Or as an MVC attribute, defaults to “FilterDisabled” blockMode=”true”:
[XXssProtection]
[XXssProtection(Policy = XXssProtectionPolicy.Disabled)]
The header is omitted for redirects and static content.