CodeIgniter Forums
Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc (/thread-68471.html)



Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - june123 - 07-14-2017

How can issues such as X-XSS-Protection header missing, X-Content-Type-Options missing etc be prevented in Codeigniter ?

I have used the following code in header.php :

Code:
<?php
header('X-XSS-Protection: 1; mode=block');
header('X-Frame-Options: deny');
header('X-Content-Type-Options: nosniff');
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';");
?>



RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - june123 - 07-16-2017

Can someone please give some suggestion. It can be done at server side but how to enforce it from client?


RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - Martin7483 - 07-17-2017

You can't enforce anything that comes from the client. Thats why you must never trust data coming from a request as it can be manipulated


RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - Narf - 07-17-2017

XSS is an attack on the client ... Browsers have no interest in ignoring these headers.


RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - Paradinight - 07-17-2017

(07-16-2017, 08:58 PM)june123 Wrote: Can someone please give some suggestion. It can be done at server side but how to enforce it from client?

https://www.codeigniter.com/user_guide/libraries/output.html

https://github.com/bcit-ci/codeigniter-website/blob/develop/application/core/MY_Controller.php#L20