I tried your web scanner, but I get "A" instead of "A+" because it seems that your scanner is not parsing well the X-XSS-Protection HTTP header.
It seems that it wants "1; mode=block;" as value for X-XSS-Protection HTTP header, but does not understand when the attack attempts are reported to some webpage, for example, report-uri.com.
Hi there!
I tried your web scanner, but I get "A" instead of "A+" because it seems that your scanner is not parsing well the X-XSS-Protection HTTP header.
It seems that it wants "1; mode=block;" as value for X-XSS-Protection HTTP header, but does not understand when the attack attempts are reported to some webpage, for example, report-uri.com.
Can you please check if the parser supports it?
My complete header is:
x-xss-protection: 1; mode=block; report="https://XXXXXX.report-uri.com/r/d/xss/enforce"
Thanks, Best regards