+ Start a Discussion
nbknbk 

Setting XSS Protection Header

We are using Salesforce partner portal site where Salesforce is automatically setting the HTTP Header - "X-XSS-Protection" to "0" by default.

This has been flagged by a security flaw by our client and we should to overcome this issue.
Reproduce steps: 

Go to https://nbk-developer-edition.na15.force.com/, Using inspect Element of Chrome, check for the Response Headers of sitelogin Page. One of the Response header is X-XSS-Protection, which is set to 0. It should ideally be set to 1.

Identified that Login.salesforce.com page also setting with 0, please provide if you come across this issue and resolution.
whereas google.com site setup with X-XSS-Protection:1
 
ShashankShashank (Salesforce Developers) 
I see that you raised a case with salesforce support for the same question and they are working on it. Please let me know in case you need any further assistance here.
nbknbk
Hi Shashank,

Yes we raised a case with salesforce, but still we did't get the resolutions and we are working on it