Forum Discussion

chungyu_16122's avatar
chungyu_16122
Icon for Altostratus rankAltostratus
Aug 31, 2018

My OWASP ZAP tool alerts - Web Browser XSS Protection Not Enabled on a website -

Hi everyone

 

I am running ASM with Attack Signatures to block XSS attacks but my tool ZAP still alerts me to this issue - Web Browser XSS Protection Not Enabled. Is there a way to configure ASM to block this response from the web server?

 

Thanks

 

ASM Advanced WAF
security
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Sep 02, 2018

    Hi,

    "Web Browser XSS Protection Not Enabled" is a Low severity alert in OWASP ZAP effectively telling that the X-XSS-Protection header is missing in server response. You can easily add this header to your responses using an iRule like this:

    when HTTP_RESPONSE { 
  HTTP::header insert "X-XSS-Protection" "1; mode=block" 
}