Cross-site scripting Protection (X-XSS-Protection header)

This header enables the Cross-site scripting (XSS) filter in your browser. It checks for the presence of the X-XSS-Protection-header.

How to fix this health check

This health check can be fixed by adding a header before the response is started.

Preferable you use a security library like NWebSec.

Adding Cross-site scripting Protection using NWebSec

If you take a NuGet dependency on NWebsec.AspNetCore.Middleware/, you can use third extension methods on IApplicationBuilder.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.UseXXssProtection(options => options.EnabledWithBlockMode());

        ...
    }
}

Adding Cross-site scripting Protection using manual middleware

If you don't like to have a dependency on third party libraries. You can add the following custom middleware to the request pipeline.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
            await next();
        });

       ...
    }
}

Last updated