Skip to content

XSS

This page will show you the options to configure XSS (Cross-Site-Scripting) response headers for your site.

Cross-site scripting (XSS) is a security exploit which allows an attacker to inject into a website malicious client-side code. These attacks succeed if the Web app does not employ enough validation or encoding. Refer this MDN link for more details.

Note: For demo purpose, we will be using www.nviztest.com domain as an example.

Prerequisite

  1. You must have a domain configured on Nitrogen.

Steps

  1. Click on Security menu, and open XSS tab.

  2. You will be taken to screen to provide details.

    1. Content Type Option: Enabling this adds X-Content-Type-Options: nosniff response header.
      It indicates that the MIME types advertised in the Content-Type headers should be followed and not be changed.
      Note: Refer this MDN link for more details.

    2. Cross Site Scripting Protection: If enabled, it adds X-XSS-Protection response header.
      When detected, the browser stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
      Note: Refer this MDN link for more details.

      1. Block Mode: If chosen, the browser will prevent rendering of the page if an attack is detected.

      2. Sanitize Mode: If chosen, when a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).

    3. X-Frame Option Enabled: If enabled, it adds X-Frame-Options response header.
      It is used to instruct browser, if it should allow page to render a page in frame / iframe / embed /object elements.
      Note: Refer this MDN link for more details.

      1. X-Frame Options Value: You can enter either of the below values which are permitted for this header:
        e.g.
        • DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so.
        • SAMEORIGIN: The page in frame can only be displayed as long as it is from the same site as the page on which the frame is.

    Step

  3. Click on Save button.

Notes

These changes will only take effect when deployed. Saving them will only be saving them in draft. Please refer documentation about Deploy process for it.