ajinabraham.njsscan.headers.header_xss_protection.header_xss_lusca

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

Run Locally

Run in CI

Defintion

rules:
  - id: header_xss_lusca
    patterns:
      - pattern-inside: |
          $X = require('lusca')
          ...
      - pattern-not: |
          $X.use(helmet())
      - pattern-either:
          - pattern: |
              $X.xssProtection(false)
          - pattern: |
              $X({ xssProtection: false})
    message: X-XSS-Protection header is set to 0. This will disable the browser's
      XSS Filter.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a6
      cwe: cwe-693
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other