X-XSS-Protection header not set for the HTML document even that it is enabled in config file

Question

I enabled the X-XSS-Protection header in the web.config file:

 <httpprotocol>
    <customheaders>
        <remove name="X-Powered-By" />
        <add name="X-XSS-Protection" value="1; mode=block" />
   </customheaders>
 </httpprotocol>

Now the X-XSS-Protection header appears in responses for text/plain, application/json, text/xml or in requests for images, for example, but it does not appear in the response of the main text/HTML document. However, it seems that this X-XSS-Protection header is needed precisely on the text/HTML document. Do you have an idea why this might be happening?

score 0 · Answer 1 · answered May 09 '19 at 12:16

0

This was not working as expected because I had just added the custom headers on the server side, and not on the client side. Now I added them to the client side and the headers are appearing as expected.

answered May 09 '19 at 12:16

NunoF

11
1

X-XSS-Protection header not set for the HTML document even that it is enabled in config file

1 Answers1