alesnav
commented
4 years ago I would help with this issue if source code of scan.nextcloud.com were public, but I cannot find it...
Open alesnav opened 5 years ago
alesnav
commented
4 years ago I would help with this issue if source code of scan.nextcloud.com were public, but I cannot find it...
Hi there!
I tried your web scanner, but I get "A" instead of "A+" because it seems that your scanner is not parsing well the X-XSS-Protection HTTP header.
It seems that it wants "1; mode=block;" as value for X-XSS-Protection HTTP header, but does not understand when the attack attempts are reported to some webpage, for example, report-uri.com.
Can you please check if the parser supports it?
My complete header is:
x-xss-protection: 1; mode=block; report="https://XXXXXX.report-uri.com/r/d/xss/enforce"Thanks, Best regards