Check of the X-Content-Type header
If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.
|Result positive||Cross-site scripting (XSS) protection of the web browser is active on your website.|
|Result negativ||Cross-site scripting protection is not active or configured incorrectly.|
|Description||The HTTP header X-XSS-Protection defines how built-in XSS filters in the browser are configured. A default installation can indicate an incorrect configuration.|
|Background||This header activates the cross-site scripting (XSS) protection that is built into most current browsers (Internet Explorer, Chrome and Safari). This protection is active by default, so this header is only there to enable the page filter again if the user has disabled it. In addition, it is only supported in IE 8+, Opera, Chrome and Safari.|
|Consequence||Prevents reflected XSS attacks. Easy to implement, and requires no further adjustments on the website.|
|Solution/Tips|| If it was reported, that your website is probably not sufficiently protected from XSS attacks:
Code example of an .htaccess file on an Apache webserver.
# Turn on XSS prevention tools, activated by default in IE and Chrome Header set X-XSS-Protection "1; mode=block"
Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)