How To
Summary
On the newer version of major browsers, X-XSS-Protection support is deprecated or has a possibility of other vulnerabilities. This document describes how to remove X-XSS-Protection header from a response to client by using HTTP Transformation.
Steps
1 Create HTTP Transformation rule
1-1. Login to LMI and navigate to "Web > HTTP Transformation" page
1-2. Create a response (xslt) type rule
Name: resRemoveXXSSProtection.xsl
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:strip-space elements="*" />
<xsl:template match="/">
<HTTPResponseChange>dummy
<xsl:apply-templates />
</HTTPResponseChange>
</xsl:template>
<xsl:template match="//HTTPResponse/ResponseLine" />
<xsl:template match="//HTTPResponse/Headers/Header">
<xsl:if test="@name='x-xss-protection'">
<Header action="remove">
<xsl:attribute name="name"><xsl:value-of select="@name"/></xsl:attribute>
dummy
</Header>
</xsl:if>
</xsl:template>
<xsl:template match="//HTTPResponse/Cookies" />
<xsl:template match="//HTTPResponse/Credential" />
<xsl:template match="//HTTPResponse/HTTPRequest" />
</xsl:stylesheet>
* Remarks: Do not remove "dummy" text in the rule.
2. Modify reverse proxy configuration file (webseald-instance.conf)
2-1. Define HTTP Transformation rule
[http-transformations]
resRemoveXXSSProtection = resRemoveXXSSProtection.xsl
[http-transformations:resRemoveXXSSProtection]
request-match = response:*
2-2. Disable X-XSS-Protection header in [rsp-header-names] stanza if previously defined
[rsp-header-names]
# X-XSS-Protection = 1;mode=block
3. Restart reverse proxy
Additional Information
There is alternate way to disable X-XSS-Protection by setting 0 value. However, this approach still uses X-XSS-Protection header.
[server]
replace-rsp-headers = yes
[rsp-header-names]
X-XSS-Protection: 0
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSESHP","label":"IBM Security Verify Access Appliance"},"ARM Category":[{"code":"a8m0z000000cxuqAAA","label":"Security Verify Access-\u003EReverse Proxy"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
18 October 2022
UID
ibm16830251