Configuring X-XSS-Protection¶
There are two configuration options
- policy can be set to :
- Disabled
- FilterDisabled
- FilterEnabled
- blockMode adds mode=block in the header, defaults to false
| Configuration | Resulting header |
|---|---|
| policy=”Disabled” | None |
| policy=”FilterDisabled” | X-XSS-Protection: 0 |
| policy=”FilterEnabled” blockMode=”true” | X-XSS-Protection: 1; mode=block |
Register the middleware in the startup class:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
...
app.UseStaticFiles();
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseMvc(...);
}
Or as an MVC attribute, defaults to “FilterDisabled” blockMode=”true”:
[XXssProtection]
[XXssProtection(Policy = XXssProtectionPolicy.Disabled)]
The header is omitted for redirects and static content.