Forum Stats

  • 3,759,064 Users
  • 2,251,495 Discussions
  • 7,870,478 Comments

Discussions

X-XSS-Protection 1; mode=block

User_PM4K6
User_PM4K6 Member Posts: 19 Red Ribbon

Hello,

The weblogic server seems to keep adding X-XSS-Protection 1; mode=block. Is there anyway to change the value of this header to 0 ?

When adding the X-XSS-Protection 0 with a filter in the application both are added to the response.

Jdev 12.2.1.4.


TIA

Tagged:

Answers

  • Timo Hahn
    Timo Hahn Senior Principal Technical Consultant - Oracle ACE Director Member, Moderator Posts: 37,554 Red Diamond

    You are looking at the wrong end. Check the WeblogicServer configuration (and/or a possible HTTP server configuration).


    Timo


  • Dimitar Dimitrov
    Dimitar Dimitrov Member Posts: 919 Bronze Trophy
    edited Aug 24, 2021 9:04PM

    According to Oracle, WebLogic Server itself does not send a X-XSS-Protection header. This header is intended to be set from the application. What kind of application and framework do you use?

    Hint: If you have a reverse proxy (e.g. Apache HTTP Server, Oracle HTTP Server, etc.), you can set/modify X-XSS-Protection header there.

    Dimitar

  • User_PM4K6
    User_PM4K6 Member Posts: 19 Red Ribbon

    @Dimitar Dimitrov i read that as well, but even on the admin console the header is added.

    I have tried on both the jdev integrated weblogic and a few standalone 12.2.1.4 weblogics. All three give exactly the same X-XSS-Protection header. Maybe this could have been added with a CPU at some point that i am unaware of.

    I am using the ADF framework and there is no http server in front.

    I cannot find any documentation for the weblogic to set this header?

    Any ideas appreciated!

  • Dimitar Dimitrov
    Dimitar Dimitrov Member Posts: 919 Bronze Trophy

    X-XSS-Protection header is not set by WebLogic Server. If you create a simple (non-ADF) JSP, you will see that this header is not set in the response. The header is set by JSF or ADF. I'm not sure if there is a simple way to prevent it without an Apache or Oracle HTTP Server at the front.

    P.S. WebLogic Admin Console is a JSF application. The X-XSS-Protection header is set by the application but not by the WebLogic Server itself.

    Dimitar

  • User_PM4K6
    User_PM4K6 Member Posts: 19 Red Ribbon

    @Dimitar Dimitrov you are completely right, JSP does not set it!

    I have explored a bit further and it is ADF adding it unfortunately. The class ServerWindowManager will set it. further investigation is needed in order to determine if it can be easily manipulated.