Add HTTP security headers to protect against XSS attacks
HTTP headers are included in every HTTP response from a web server. Setting the
appropriate HTTP headers can reduce the risk of man-in-the-middle and
cross-site-scripting attacks on a web application. You can also reduce
information leaks about the web application configuration - vital data that
gives a would-be attacker clues about potential vulnerabilities. Read on to
find out how to set the appropriate headers in your Perl web application.
The following headers are set:
X-Frame-Options: protect site from being loaded into an frame or iframe (specs)
Strict-Transport-Security: requester to load all content via HTTPS
Content-Security-Policy: sets a whitelist of domains from which content can be safely loaded (specs)
X-Content-Type-Options: disable mime sniffing, disabled by default in IE but enforced anyway.
X-Download-Options: prevent IE from opening an HTML file directly
X-XSS-Protection: turn on its XSS filter
X-Webkit-CSP: iOS Safari 5.0-5.1
These two headers can be switched on optionally to support browsers not yet using the standard hearders.
For more information see also:
You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.
Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".
If you have any problems, or if the extension isn't available in
, then you can still install manually from the command-line. See http://foswiki.org/Support/ManuallyInstallingExtensions
for more help.