Open jaymansfield opened 2 years ago
Quoted from Mozilla: "These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline')" already suggested in #183 , also in some cases, X-XSS-Protection can create XSS vulnerabilities in otherwise safe websites. See the section below for more information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Just want to make sure XSS is taking into consideration.
While #183 mentioned the Content-Security-Policy header, it didn't specify to add the unsafe-inline attribute to stop XSS, and only referred to MIME Sniff attacks
By raising this issue, I agree to the terms and conditions presented by Polkadex here:Terms and Conditions
Missing security header X-XSS-Protection
The
X-XSS-Protection
HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS) attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.onchainaddress:{esm99RRxKvainDsRR6UHRcju4vNnAw1ouZEw64Yfn12tc6HpQ}