X-XSS-Protection
The X-XSS-Protection HTTP header provides basic protection against some XSS attacks by indicating to the browser clients how they should use their built-in XSS protection filter. This functionality is enabled by default.
X-XSS-Protection can be configured by running the following commands in
the
<server installation
dir>/tomcat/spotfire-bin directory on the command line.
(For details on using the
Spotfire
command line, see
Executing
commands on the command line.)
config export-config --force
config set-config-prop -n security.x-xss-protection.enabled -v true
config import-config -c "Enabled X-XSS-Protection"
X-XSS-Protection can be switched off by running the following commands:
config export-config --force
config set-config-prop -n security.x-xss-protection.enabled -v false
config import-config -c "Disabled X-XSS-Protection"
When X-XSS-Protection is enabled, the server will include the HTTP header "X-XSS-Protection: 1; mode=block" in all responses.
The directive can also be customized by running the following commands:
config export-config --force
config set-config-prop -n security.x-xss-protection.directive -v value
config import-config -c "Customized X-XSS-Protection directive"
<value>
can be set to any of the following
values:
- "0"
- "1"
- "1; mode=block"
Parent topic: Optional security HTTP headers