Cross-Site Scripting (Also known as XSS) is a client-side attack by injecting malicious scripts to the web application. After that your application will be the carrier of the malicious scripts to reach the other users browser. In that case, the other user’s browser will understand the malicious scripts served from a trusted sources and will execute the script
Secure Apache from Cross-Site Scripting
You can set the X-XSS-Protection settings on your Apache web server to prevent cross-site scripting attacks.
To enable the X-XSS-Protection edit Apache configuration file (For eg: /etc/httpd/conf/httpd.conf or /etc/apache2/conf-enabled/security.conf) and add the below configuration.
Header always set X-XSS-Protection "1; mode=block"
Save file and close it.
The above settings enables the XSS Filter. If the cross-site scripting attack is detected, the browser will sanitize the page and also prevent rendering of the page.
Next, Restart Apache service to apply changes
Text XSS Protection Settings
Open your website in a web browser. Press F11 to open browsers inspect element window. Then view the header values for the request, You will find the header value as shown in below image.
Conclusion
In this tutorial, you have learned basics about Cross-Site scripting attacks. Also, helped you to secure Apache server from XSS attacks.
