X-XSS-Protection
The X-XSS-Protection HTTP header provides basic protection against some XSS attacks by indicating to the browser clients how they should use their built-in XSS protection filter.
Note: This functionality is enabled by default for new
Spotfire Server installations, and for installations upgraded from 7.5 or later, but not for installations upgraded from versions that are earlier than 7.5.
The feature can be switched on by running the following commands in the
<server installation dir>/tomcat/spotfire-bin directory on the command line. (For details on using the
Spotfire command line, see
Executing commands on the command line.)
config export-config --force
config set-config-prop -n security.x-xss-protection.enabled -v true
config import-config -c "Enabled X-XSS-Protection"
The feature can be switched off by running the following commands:
config export-config --force
config set-config-prop -n security.x-xss-protection.enabled -v false
config import-config -c "Disabled X-XSS-Protection"
When this feature is enabled, the server will include the HTTP header "X-XSS-Protection: 1; mode=block" in all responses.
The directive can also be customized by running the following commands:
config export-config --force
config set-config-prop -n security.x-xss-protection.directive -v value
config import-config -c "Customized X-XSS-Protection directive"
<value>
can be set to any of the following values:
- "0"
- "1"
- "1; mode=block"
Parent topic: Optional security HTTP headers