HTTP Content Security Policy

HTTP Content Security Policy HTTP response headers help Web documents identify the valid sources to load various objects from like javascript, CSS files, etc. It is commonly denoted by CSP and has 3 versions as of now.

Apart from response header, this policy can also be defined in meta, the reference link on how to do that is provided in the end.

Continue reading “HTTP Content Security Policy”

X-XSS-Protection

We know that inline javascript code execution causes XSS (i.e. cross site scripting), hence to fight this at browser level X-XSS-Protection header was introduced. This header is enabled by default on browsers chrome, IE and safari but to enforce it its better to enabled it. Firefox does not support this HTTP header as it makes use of CSP (Content Security Policy) to provide protection. This header will be replaced by CSP HTTP header as it can disable “unsafe-inline” javascripts. Not all browser support the CSP fully, hence its better to use X-XSS-Protection along with CSP.

Continue reading “X-XSS-Protection”