Page 1 of 1

X-XSS Protection in VestaCP

Posted: Sat Apr 16, 2016 1:38 am
by oddyseus
I'm trying to secure my vps, as much as I can. I run nikto to find vulnerabilities. I fixed some of them, but couldn't solve the rest.
Here is the ones I couldn't solve:
  • + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to
Where should I add this other than .htaccess:

Code: Select all

<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
</IfModule>
I've added it to lots places, some of them gave errors, the other didn't change anything.

Can you tell me the exact path to add the code to prevent X-XSS atacks? It'd be nice if you say the spesific path(/etc/apache2 etc.) instead of just "conf"

Distro: Debian 8
Nginx: Enabled
SSL: Yes

Edit: I solved the isssue, Till now, I thought that I have to change some apache conf, I was wrong. I added these three line to /etc/nginx/conf.d/yourip.conf (inside server part)

Code: Select all

   add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
And It's solved!

Re: X-XSS Protection in VestaCP

Posted: Mon May 04, 2020 2:55 pm
by Spheerys
Thanks !
Any idea why these 3 lines are not set by default after nginx/vestacp installation ?