Professional Documents
Culture Documents
AS Java Security Vulnerability The Server Is Not Configured
AS Java Security Vulnerability The Server Is Not Configured
3385187 - AS Java Security Vulnerability - The server is not configured to return a 'X-
XSS-Protection' header
Component: BC-JAS-WEB (Web Container, HTTP, JavaMail, Servlets), Version: 1, Released On: 04.10.2023
Symptom
Third party tool detects security vulnerability that the server is not configured to return a 'X-XSS-Protection' header which
means that any pages on this website could be at risk of a Cross-Site Scripting (XSS) attack.
Environment
SAP NetWeaver for Application Server Java - all versions
Cause
Web container does not include an 'X-XSS-Protection' header with a value of '1; mode=block' on all pages.
Resolution
Adjust this property on global Web Container level. Make sure that your system is on the version that allows this feature and
implement custom header. See more in SAP Note: 1831525 - Custom Headers Feature.
Name and value must be:
headername=X-XSS-Protection
headervalue=1; mode=block
Attributes
Key Value
Requires Action 0
Products
Products