You need to sign in to do that
Don't have an account?
nbk
Setting XSS Protection Header
We are using Salesforce partner portal site where Salesforce is automatically setting the HTTP Header - "X-XSS-Protection" to "0" by default.
This has been flagged by a security flaw by our client and we should to overcome this issue.
Reproduce steps:
Go to https://nbk-developer-edition.na15.force.com/, Using inspect Element of Chrome, check for the Response Headers of sitelogin Page. One of the Response header is X-XSS-Protection, which is set to 0. It should ideally be set to 1.
Identified that Login.salesforce.com page also setting with 0, please provide if you come across this issue and resolution.
whereas google.com site setup with X-XSS-Protection:1
This has been flagged by a security flaw by our client and we should to overcome this issue.
Reproduce steps:
Go to https://nbk-developer-edition.na15.force.com/, Using inspect Element of Chrome, check for the Response Headers of sitelogin Page. One of the Response header is X-XSS-Protection, which is set to 0. It should ideally be set to 1.
Identified that Login.salesforce.com page also setting with 0, please provide if you come across this issue and resolution.
whereas google.com site setup with X-XSS-Protection:1
Yes we raised a case with salesforce, but still we did't get the resolutions and we are working on it