X-XSS-Protection -> Misconfiguration
Low
Vulnerability Details
Hi there,
**URL:** https://www.sfl-tap.army.mil/
I have seen that the website is using the X-XSS-Protection Header.
But it has a strange configuration.
When I take a look at securityheaders, I've seen that you guys use this as configuration.
**X-XSS-Protection:** DENY
DENY is used for the X-Frame Option instead of the X-XSS-Protection. The good configuration should be:
**XSS-XSS-Protection:** 1; mode=block
And not DENY. This is used for the X-Frame Option.
Actions
View on HackerOneReport Stats
- Report ID: 289846
- State: Closed
- Substate: resolved
- Upvotes: 7