(default) Cross-Site Scripting (XSS) in Header Value
Deny Rule Group – (default) Cross-Site Scripting (XSS) in Header Value

XSS_HEADER_VALUE

  • The group contains XSS deny rules for HTTP header values.
  • The security level Basic prevents injection of <script> and known HTML event handlers (e.g. "onload").
  • The security level Standard prevents injection of JavaScript code in quoted context.
  • The security level Strict prevents injection of JavaScript code in unquoted context.

Included Deny Rules

Rule name
Legacy
Basic
Standard
Strict
(default 18) Cross-site scripting rule for header values
Icon - ON
(default XSS_001b) Source attribute of critical HTML tag in HTTP header value
Icon - ON
Icon - ON
Icon - ON
(default XSS_005b) HTML script tag in HTTP header value
Icon - ON
Icon - ON
Icon - ON
(default XSS_020b) Injection in link attributes in HTTP header value
Icon - ON
Icon - ON
(default XSS_025b) Refresh rate manipulation in HTTP header value
Icon - ON
Icon - ON
(default XSS_030b) JavaScript in quoted context in HTTP header value
Icon - ON
Icon - ON
(default XSS_040b) HTML event handler in HTTP header value
Icon - ON
Icon - ON
Icon - ON
(default XSS_050b) CSS expression in HTTP header value
Icon - ON
Icon - ON
(default XSS_055b) XSS filter evasion using arrays and objects in HTTP header value
Icon - ON
Icon - ON