class Helmet::XSSFilterHandler
- Helmet::XSSFilterHandler
- HTTP::Handler
- Reference
- Object
Overview
The X-XSS-Protection
HTTP header is a basic protection against cross-site
scripting attacks. It was originally by Microsoft
but Chrome has since adopted it as well.
This handler sets the X-XSS-Protection
header. On modern browsers, it
will set the value to 1; mode=block
. On old versions of Internet
Explorer, this creates a vulnerability (see here
and here),
and so the header is set to 0
to disable it.
Example usage:
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::XSSFilterHandler.new,
# ...
])
To force the header to be set to 1; mode=block
on all versions of
Internet Explorer, add the set_on_old_ie
option:
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::XSSFilterHandler.new(set_on_old_ie: true),
# ...
])