My OWASP ZAP tool alerts - Web Browser XSS Protection Not Enabled on a website -

Question

Hi everyone&nbsp;
I am running ASM with Attack Signatures to block XSS attacks but my tool ZAP still alerts me to this issue - Web Browser XSS Protection Not Enabled.  Is there a way to configure ASM to block this response from the web server?&nbsp;
Thanks&nbsp;

samstep · Answer

Hi,
"Web Browser XSS Protection Not Enabled" is a Low severity alert in OWASP ZAP effectively telling that the X-XSS-Protection header is missing in server response. You can easily add this header to your responses using an iRule like this:
when HTTP_RESPONSE { 
  HTTP::header insert "X-XSS-Protection" "1; mode=block" 
}

Forum Discussion

My OWASP ZAP tool alerts - Web Browser XSS Protection Not Enabled on a website -

1 Reply

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

Managing NGINX App Protect WAF for Beginners

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Cookie-based DDoS protection