Set X-XSS-Protection HTTP response header to '1'.

This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. This header is usually enabled by default anyway, so the role of this header is to re-enable the filter if it was disabled maliciously, or by accident.
author: Micah Anderson <micah@riseup.net> 2016-10-24 11:31:41 -0400
committer: Micah Anderson <micah@riseup.net> 2016-10-24 11:31:41 -0400
commit: 4db1e7c4454ea05c524be4cc385ede1bab2e1be4 (patch)
tree: 0d01b73db0d4f4a6ed110bc4e135196376d304e4
parent: 53ddc64b6aa98653b35b23c334df605ed26ea60b (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 5e27a9e4..e68b9ebe 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -23,6 +23,7 @@ Listen 0.0.0.0:<%= @api_port %>
 <% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
+    Header always set X-XSS-Protection "1; mode=block"
     Header always set X-Content-Type-Options: nosniff
   </IfModule>
author	Micah Anderson <micah@riseup.net>	2016-10-24 11:31:41 -0400
committer	Micah Anderson <micah@riseup.net>	2016-10-24 11:31:41 -0400
commit	4db1e7c4454ea05c524be4cc385ede1bab2e1be4 (patch)
tree	0d01b73db0d4f4a6ed110bc4e135196376d304e4
parent	53ddc64b6aa98653b35b23c334df605ed26ea60b (diff)