Cross Site Scripting (XSS)
protection can be bypassed in many browsers. You can force apply this
protection for web application if it was disabled by the user. This is used by
majority of giant web companies like Facebook, twitter, Google, etc.
Using X-XSS Protection
To configure Apache to
send the X-XSS Protection header, add this to your site's configuration in
/etc/apache2/httpd.conf (ubuntu):
Header set X-XSS-Protection “1;
mode=block”
Restart
Apache Web Server
Check HTTP Response
Using HttpOnly and Secure Flag
Do
you know you can mitigate most common XSS attack using HttpOnly and Secure flag with your cookie? Without having HttpOnly and Secure flag in HTTP response header, it is
possible to steal or manipulate web application session and cookies. It’s good
practice to set HttpOnly and Secure flag in application code by developers.
However, due to bad programming or developers’ unawareness it comes to Web
Infrastructures.
Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$
$1;HttpOnly; Secure
Restart Apache Web Server
Note: Header edit is not compatible with lower than Apache 2.2.24 version. You can use
following to set HttpOnly and Secure flag in lower than 2.2.24 version.
Header set Set-Cookie
HttpOnly;Secure
Check HTTP Response
