TWA 0210

TWA-0210

Message

"X-XSS-Protection is '0'; XSS filtering disabled"

Explanation

The server sends "X-XSS-Protection 0" to the web browser. This disables the XSS (cross-site scripting) filtering in the web browsers. (If the web browser supports XSS filtering and the XSS filtering is enabled by default.)

The X-XSS-Protection should only be disabled in the rare case if a web application can't work with X-XSS-Protection.

Remediation

Set the X-XSS-Protection to 1; mode=block in the web server configuration or in the web application (e.g. PHP scripts).

Warning

The XSS protection by this flag is weak because a lot of modern browsers (e.g. Chrome 78, Edge 17, Firefox 79) don't support this feature. The Content-Security-Policy could be used additionaly.

See

OWAPS: Cross Site Scripting
MDN web docs: X-XSS-Protection
See also MDN web docs: Content-Security-Policy as another guard against XSS.

Home
Codes
TWA-00YY
- TWA-0001
TWA-01YY
TWA-02YY
- TWA-0201
- TWA-0202
- TWA-0203
- TWA-0204
- TWA-0205
- TWA-0206
- TWA-0207
- TWA-0208
- TWA-0209
- TWA-0210
- TWA-0211
- TWA-0212
- TWA-0213
- TWA-0214
- TWA-0215
- TWA-0216
- TWA-0217
- TWA-0218
- TWA-0219
- TWA-0220
- TWA-0221
- TWA-0222
- TWA-0223
- TWA-0224
- TWA-0225
- TWA-0226
- TWA-0227
- TWA-0228
- TWA-0229
- TWA-0230
TWA-03YY
TWA-04YY
- TWA-0401
- TWA-0402
- TWA-0403
- TWA-0404
- TWA-0405
- TWA-0406
- TWA-0407
- TWA-0408
- TWA-0409
- TWA-0410
TWA-05YY
- TWA-0501
- TWA-0502
- TWA-0503
- TWA-0504
TWA-06YY
- TWA-0601
- TWA-0602
- TWA-0603
- TWA-0604
TWA-07YY
- TWA-0701
TWA-08YY
- TWA-0801
- TWA-0802
- TWA-0803
- TWA-0804
- TWA-0805
- TWA-0806
- TWA-0807
- TWA-0808
- TWA-0809
- TWA-0810
TWA-09YY
- TWA-0901

Provide feedback

Saved searches

Use saved searches to filter your results more quickly