(Jan 22) Release 0.9.8-19 with bug fixes available now. Run this command for update v-update-sys-vesta-all

X-XSS Protection in VestaCP Topic is solved

Section with modification and patches for Vesta
Forum rules
Before creating a new topic or reply on the forum you should fill out additional fields "Os" and "Web" in your profile section.
In case of violation, the topic can be closed or response from the support will not be received.
oddyseus
Posts: 1
Joined: Sat Apr 16, 2016 12:56 am

X-XSS Protection in VestaCP  Topic is solved

Postby oddyseus » Sat Apr 16, 2016 1:38 am

I'm trying to secure my vps, as much as I can. I run nikto to find vulnerabilities. I fixed some of them, but couldn't solve the rest.
Here is the ones I couldn't solve:

    + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to

Where should I add this other than .htaccess:

Code: Select all

<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
</IfModule>


I've added it to lots places, some of them gave errors, the other didn't change anything.

Can you tell me the exact path to add the code to prevent X-XSS atacks? It'd be nice if you say the spesific path(/etc/apache2 etc.) instead of just "conf"

Distro: Debian 8
Nginx: Enabled
SSL: Yes

Edit: I solved the isssue, Till now, I thought that I have to change some apache conf, I was wrong. I added these three line to /etc/nginx/conf.d/yourip.conf (inside server part)

Code: Select all

   add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";


And It's solved!

Return to “Modification & Patches”



Who is online

Users browsing this forum: No registered users and 1 guest

cron