Hacker News new | ask | show | jobs
by tshadwell 3774 days ago
I don't think `X-XSS-Protection` is a worthwhile header to have. Every browser with XSS protection has it on by default. OWASP says this only exists to turn it on when a user may have turned it off (I have no idea why they would).

`Content-Security-Policy` is an awesome header, but in truth, it's very easy to misconfigure and even when correctly configured is usually fairly easy to bypass on any non-trivially complex website (for example, JSONP is an effective bypass for CSP). It's still worth looking into.
2 comments
seanwilson 3774 days ago
None of these things are a silver bullet for security but they're an improvement on the default settings.
link
cyphar 3774 days ago
JSONP only allows CSP bypass if you return anything other than JSON objects from an API. As long as you don't do that, CSP is fine.
link
tshadwell 3773 days ago
Since JSONP allows you to have a callback, you can load this in script tags on the same domain and make calls to that / those functions.
link