Discussions
Categories
- 196.9K All Categories
- 2.2K Data
- 239 Big Data Appliance
- 1.9K Data Science
- 450.3K Databases
- 221.7K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 550 MySQL Community Space
- 478 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3K ORDS, SODA & JSON in the Database
- 546 SQLcl
- 4K SQL Developer Data Modeler
- 187K SQL & PL/SQL
- 21.3K SQL Developer
- 295.9K Development
- 17 Developer Projects
- 138 Programming Languages
- 292.6K Development Tools
- 107 DevOps
- 3.1K QA/Testing
- 646K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 155 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.1K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 18 Java Essentials
- 160 Java 8 Questions
- 86K Java Programming
- 80 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 204 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 442 LiveLabs
- 38 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 171 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 232 Portuguese
X-XSS-Protection 1; mode=block
Hello,
The weblogic server seems to keep adding X-XSS-Protection 1; mode=block. Is there anyway to change the value of this header to 0 ?
When adding the X-XSS-Protection 0 with a filter in the application both are added to the response.
Jdev 12.2.1.4.
TIA
Answers
-
Timo Hahn Senior Principal Technical Consultant - Oracle ACE Director Member, Moderator Posts: 38,461 Red DiamondYou are looking at the wrong end. Check the WeblogicServer configuration (and/or a possible HTTP server configuration).
Timo
-
According to Oracle, WebLogic Server itself does not send a X-XSS-Protection header. This header is intended to be set from the application. What kind of application and framework do you use?
Hint: If you have a reverse proxy (e.g. Apache HTTP Server, Oracle HTTP Server, etc.), you can set/modify X-XSS-Protection header there.
Dimitar
-
@Dimitar Dimitrov i read that as well, but even on the admin console the header is added.
I have tried on both the jdev integrated weblogic and a few standalone 12.2.1.4 weblogics. All three give exactly the same X-XSS-Protection header. Maybe this could have been added with a CPU at some point that i am unaware of.
I am using the ADF framework and there is no http server in front.
I cannot find any documentation for the weblogic to set this header?
Any ideas appreciated!
-
X-XSS-Protection header is not set by WebLogic Server. If you create a simple (non-ADF) JSP, you will see that this header is not set in the response. The header is set by JSF or ADF. I'm not sure if there is a simple way to prevent it without an Apache or Oracle HTTP Server at the front.
P.S. WebLogic Admin Console is a JSF application. The X-XSS-Protection header is set by the application but not by the WebLogic Server itself.
Dimitar
-
@Dimitar Dimitrov you are completely right, JSP does not set it!
I have explored a bit further and it is ADF adding it unfortunately. The class ServerWindowManager will set it. further investigation is needed in order to determine if it can be easily manipulated.