class Helmet::XSSFilterHandler

Overview

The X-XSS-Protection HTTP header is a basic protection against cross-site scripting attacks. It was originally by Microsoft but Chrome has since adopted it as well.

This handler sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0 to disable it.

Example usage:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::XSSFilterHandler.new,
  # ...
])

To force the header to be set to 1; mode=block on all versions of Internet Explorer, add the set_on_old_ie option:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::XSSFilterHandler.new(set_on_old_ie: true),
  # ...
])

Defined in:

helmet/xssfilterhandler.cr

Class Method Summary

Instance Method Summary

Class Method Detail

def self.new(set_on_old_ie : Bool = false) #

[View source]

Instance Method Detail

def call(context : HTTP::Server::Context) #

[View source]