Technical Blog Post
Abstract
How to have HTTP Header information for Maximo and the IBM HTTP Server to contain ' X-XSSProtection ' value set to " X-XSS-Protection: 1; mode=block " ?
Body
- To configure IHS to set the "X-XSSProtection" response header value to "X-XSS-Protection: 1; mode=block", ensure that this line is uncommented in the httpd.conf file located at \IBM\HTTPServer\conf:
LoadModule headers_module modules/mod_headers.so
Then use this directive to set the X-XSS-Protection response header:
Header set X-XSS-Protection "1; mode=block"
This is described in this forum entry:
Adding security parameters to IHS configuration (X-Content-Type-Options, x-Xss-Protection, Content-Security-Policy) - IBM Developer Answers
-
In order to modify the header value for X-XSS-Protection for Maximo, you need to modify the following web.xml file located at \IBM\SMP\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF
Modify the following line from
<filter> <filter-name>HttpXFrameOptionsFilter</filter-name> <filter-class>psdi.webclient .system.filter.HttpXFrameOptio nsFilter</filter-class> <init-param> <param-name>X-Frame-Options< /param-name> <param-value>SAMEORIGIN</pa ram-value> </init-param> </filter>
To this :
<filter> <filter-name>HttpXFrameOptionsFilter</filter-name> <filter-class>psdi.webclient .system.filter.HttpXFrameOptio nsFilter</filter-class> <init-param> <param-name>X-Frame-Options< /param-name> <param-value>SAMEORIGIN</pa ram-value> </init-param> <init-param> <param-name> X-XSS-Protection</param-name> <param-value>1; mode=block</param-value> </init-param> </filter>
Save web.xml. Stop the application server, build and deploy Maximo.ear and restart the application server. ( Make sure the nodes are synchronized ).
- Go to Maximo login page
- Press F12
- Go to Network Tab
- Press F5
- Click on Request URL
- Under Headers > Response Headers, check for X-XSS-Protection value. It should be " X-XSS-Protection: 1; mode=block "
UID
ibm11128903