• README

• Helmet
  • DNSPrefetchControllerHandler
  • FrameGuardHandler
    • Origin
  • InternetExplorerNoOpenHandler
  • NoSniffHandler
  • StrictTransportSecurityHandler
  • XSSFilterHandler

class Helmet::XSSFilterHandler

• Helmet::XSSFilterHandler
• HTTP::Handler
• Reference
• Object

Overview

The X-XSS-Protection HTTP header is a basic protection against cross-site scripting attacks. It was originally by Microsoft but Chrome has since adopted it as well.

This handler sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0 to disable it.

Example usage:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::XSSFilterHandler.new,
  # ...
])

To force the header to be set to 1; mode=block on all versions of Internet Explorer, add the set_on_old_ie option:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::XSSFilterHandler.new(set_on_old_ie: true),
  # ...
])

Defined in:

helmet/xssfilterhandler.cr

Class Method Summary

• .new(set_on_old_ie : Bool = false)

Instance Method Summary

• #call(context : HTTP::Server::Context)

Class Method Detail

Instance Method Detail