Security headers are one of the most important links in the chain of tools and mechanisms that protect a website from external threats. With the help of XSS attacks, attackers can steal passwords stored in the browser and then use them for their own purposes. Next, we will tell you what an XSS attack is and how you can protect yourself from it.
There is a known vulnerability called Cross Site Scripting, due to which an attacker can inject pieces of malicious HTML and JS code into the site structure. When this code is executed on the user's computer, a special window with a generated link automatically pops up. Clicking on this link, a person gets to a special site that strongly resembles the original - this is done so that the victim could not suspect anything. After the transition, scripts are launched that steal information about saved passwords from your browser.
Fraudsters can use different variants of XSS attacks, but most often they do:
The problem is that the implementation of an XSS attack does not require any deep knowledge in the field of hacking and social engineering, and therefore this hacking option is quite dangerous. Just because of its invisibility. However, it is quite easy to protect against it. Further we will provide recommendations both to site owners and users who want to protect themselves from such leaks.
First and foremost, never save important passwords in your browser. Of course, it is not very convenient to manually enter your username and password every time, but it is important if you want to protect yourself from intruders. You can store passwords in the browser only for those sites and accounts that will not harm you even in case of hacking. But the data for payment systems, banks, accounts in social networks – it is better to store it somewhere else.
In addition, when visiting sites, you should be careful – if you notice any suspicious activity on the site in the form of intrusive pop-ups, refrain from clicking on the link provided.
First of all, you need to enable the X-XSS-Protection header, which is needed to filter cross-site scripting. After its activation, the execution of the <script> tag in the page URL will become impossible.
To enable XSS filtering, open the .htaccess file in edit mode and add the following lines:
Header set X-XSS-Protection "1; mode=block"
This works for the Apache web server. If you have Nginx, then you need to open the nginx.conf file and add the following to the HTTP section:
add_header X-XSS-Protection "1; mode=block";
It also happens that when renting a VPS, the user does not have access to the configuration files. In this case, you can resort to the PHP function:
<?php header("X-XSS-Protection: 1; mode=block"); ?>
Or ask the hoster to make the necessary changes to the configurations. In any case, there are enough options to activate XSS filtering.
Finally, we list the main tips that will also be useful:
If you have any questions, please contact HostZealot specialists. Our staff will help you solve issues related to the security of the site and data on the server.