HCL Commerce Version 9.1.2.0 or later

Enabling the X-XSS-Protection header

You can configure the X-XSS-Protection header settings to help you protect your site against cross-site scripting attacks. The default value stops some browsers from loading pages when they detect reflected cross-site scripting attacks.

About this task

You can help to protect your site from cross-site scripting attacks using the X-XSS-Protection header.

For more information about this header, please see the Mozilla.org documentation page.

The following are possible values for your X-XSS-Protection header:
0
Disables XSS filtering.
1
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1; mode=block
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. This is the default setting used in Commerce.
1; report=<reporting-URI> (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.

Procedure

  • The Transaction Server’s HttpSecurityFilter class adds X-XSS-Protection header to the response based on the configuration specified in the foundation wc-component.xml. It is enabled by default for the following REST-Transaction WAR by default as follows: 
    <_config:configgrouping name="HttpSecuritySettings_Rest-Transaction">
 <!-- Set the value of X-XSS-Protection header. Empty value will disable this header. The default value stops some browsers from loading pages when they detect reflected cross-site scripting attacks -->
   <_config:property name="X-XSS-ProtectionHeader" value="1; mode=block"/>
</_config:configgrouping>
  • To customize the X-XSS-Protection header value, or to specify it for other WARs, add the corresponding property to your extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the HCL Commerce configuration file (wc-component.xml).