IBM Support

Remove X-XSS-Protection header from response

How To


Summary

On the newer version of major browsers, X-XSS-Protection support is deprecated or has a possibility of other vulnerabilities. This document describes how to remove X-XSS-Protection header from a response to client by using HTTP Transformation.

Steps

1 Create HTTP Transformation rule
1-1. Login to LMI and navigate to "Web > HTTP Transformation" page
1-2. Create a response (xslt) type rule
   Name: resRemoveXXSSProtection.xsl
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:strip-space elements="*" />
<xsl:template match="/">
<HTTPResponseChange>dummy
<xsl:apply-templates />
</HTTPResponseChange>
</xsl:template>
<xsl:template match="//HTTPResponse/ResponseLine" />
<xsl:template match="//HTTPResponse/Headers/Header">
<xsl:if test="@name='x-xss-protection'">
<Header action="remove">
<xsl:attribute name="name"><xsl:value-of select="@name"/></xsl:attribute>
dummy
</Header>
</xsl:if>
</xsl:template>
<xsl:template match="//HTTPResponse/Cookies" />
<xsl:template match="//HTTPResponse/Credential" />
<xsl:template match="//HTTPResponse/HTTPRequest" />
</xsl:stylesheet>

* Remarks: Do not remove "dummy" text in the rule.

2. Modify reverse proxy configuration file (webseald-instance.conf)
2-1. Define HTTP Transformation rule[http-transformations]
resRemoveXXSSProtection = resRemoveXXSSProtection.xsl

[http-transformations:resRemoveXXSSProtection]
request-match = response:*
2-2. Disable X-XSS-Protection header in [rsp-header-names] stanza if previously defined
[rsp-header-names]
# X-XSS-Protection = 1;mode=block
3. Restart reverse proxy

Additional Information

There is alternate way to disable X-XSS-Protection by setting 0 value. However, this approach still uses X-XSS-Protection header.
[server]
replace-rsp-headers = yes

[rsp-header-names]
X-XSS-Protection: 0

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSESHP","label":"IBM Security Verify Access Appliance"},"ARM Category":[{"code":"a8m0z000000cxuqAAA","label":"Security Verify Access-\u003EReverse Proxy"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
18 October 2022

UID

ibm16830251

Page Feedback