+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc (/showthread.php?tid=68471)
Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - june123 - 07-14-2017
How can issues such as X-XSS-Protection header missing, X-Content-Type-Options missing etc be prevented in Codeigniter ?
I have used the following code in header.php :
Code:
<?php
header('X-XSS-Protection: 1; mode=block');
header('X-Frame-Options: deny');
header('X-Content-Type-Options: nosniff');
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';");
?>RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - june123 - 07-16-2017
Can someone please give some suggestion. It can be done at server side but how to enforce it from client?
RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - Martin7483 - 07-17-2017
You can't enforce anything that comes from the client. Thats why you must never trust data coming from a request as it can be manipulated
RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - Narf - 07-17-2017
XSS is an attack on the client ... Browsers have no interest in ignoring these headers.
RE: Preventing X-XSS-Protection header missing, X-Content-Type-Options etc - Paradinight - 07-17-2017
(07-16-2017, 07:58 PM)june123 Wrote: Can someone please give some suggestion. It can be done at server side but how to enforce it from client?
https://www.codeigniter.com/user_guide/libraries/output.html
https://github.com/bcit-ci/codeigniter-website/blob/develop/application/core/MY_Controller.php#L20