Audit required: Found X-XSS-Protection header in HTTP response RS-A1010

The X-XSS-Protection header in HTTP response can create XSS vulnerabilities in otherwise safe websites even though it can protect users of older web browsers that don't support CSP.

The X-XSS-Protection header in HTTP response instructs the browser to enable its Cross-Site Scripting (XSS) filter. This filter is intended to protect users from certain types of attacks, but it has been known to create XSS vulnerabilities in otherwise safe websites. The filter is not standardized across browsers, which can lead to inconsistent behavior. Additionally, modern web standards such as Content Security Policy (CSP) offer more effective protection against XSS attacks.

If the use of X-XSS-Protection header is intentional, ensure that it is used in conjunction with other security measures like CSP. Alternatively, consider disabling the X-XSS-Protection header entirely.

Bad practice

use actix_web::{HttpResponse, HttpResponseBuilder};

fn handle_request() -> HttpResponseBuilder {
    HttpResponse::ok().append_header((http::header::X_XSS_PROTECTION, "1; mode=block"))
}

Recommended

use actix_web::{HttpResponse, HttpResponseBuilder};

fn handle_request(req: HttpRequest) -> HttpResponse {
    HttpResponse::ok().append_header(("Content-Security-Policy", "default-src 'self'"))
}

References

• OWASP Top 10:2017 > A7 - Cross Site Scripting
• OWASP: Cross-site Scripting (XSS)
• MDN: X-XSS-Protection
• MDN: Content-Security-Policy