Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing or insecure "X-XSS-Protection" header #4927

Open
2 of 9 tasks
sureshhcl opened this issue Apr 27, 2021 · 0 comments
Open
2 of 9 tasks

Missing or insecure "X-XSS-Protection" header #4927

sureshhcl opened this issue Apr 27, 2021 · 0 comments
Labels
community Community Raised Issue

Comments

@sureshhcl
Copy link

Stratos Version

4.4.0

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behaviour

AppScan DAST scan should show secure "X-XSS-Protection" header

Actual behaviour

AppScan DAST scan shows Missing or insecure "X-XSS-Protection" header

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io. AppScan detected that the X-XSS-Protection response header is missing or with an insecure value, which may allow Cross-Site Scripting attacks

Log output covering before error and any error statements

Cookie: console-session=MTYxNTM4NzIzMnxCUXdBQWpFeXztgIxZj4pvgrBZifTEg0HKyav_eL0siIp-DGc0CaLQig==
Connection: keep-alive
Sec-Fetch-Mode: cors
Host: ui.169.53.186.50.nip.io
Accept: application/json, text/plain, */*
Accept-Language: en-US
Sec-Fetch-Dest: empty
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Credentials: true
Pragma: no-cache
Access-Control-Allow-Origin: 
Vary: Origin
X-Frame-Options: SAMEORIGIN
Cache-Control: no-store
Strict-Transport-Security: max-age=15724800; includeSubDomains
Date: Wed, 10 Mar 2021 14:45:51 GMT
Content-Type: application/json; charset=UTF-8
{
 "version": {
 "proxy_version": "4.4.0",
 "database_version": 20200902162200
 },
 "user": {
 "guid": "cf95db97-8e30-41f2-88c2-dd4ace246c94",
 "name": "admin",
 "admin": true,
 "scopes": [

Detailed Description

Config your server to use the "X-XSS-Protection" header with value '1' (enabled)

Context

Possible Implementation

@richard-cox richard-cox added the community Community Raised Issue label Aug 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community Community Raised Issue
Projects
None yet
Development

No branches or pull requests

2 participants