SAP Knowledge Base Article - Preview

3108796 - Missing X-XSS-Protection header in Cloud Portal Service site running in BTP Cloud Foundry

Symptom

After penetration testing against site created in Cloud Portal Service running on BTP Cloud Foundry, following security risk get detected:
--------------------------------------------------------------------------------------------------------
Findings: Missing X-XSS-Protection Header
Risk Level: Low
Impact URL(s): <site URL>
 
Observations:
We detected a missing X-XSS-Protection header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.  
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected XSS attacks.
 
Recommendations:
It is recommended that the following be implemented:
• Add the X-XSS-Protection header with a value of "1; mode= block".
--------------------------------------------------------------------------------------------------------


Read more...

Environment

SAP BTP Cloud Portal Service running in Cloud Foundry(CF)

Product

BTP 1.00

Keywords

CF, missing header, header is missing, lacking, neo, launchpad service , KBA , EP-CPP-CF-APR , Portal/Launchpad RT Approuter , EP-CPP-CF-LP , Launchpad Content (Apps, Groups, Catalogs, Roles) , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.