/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
- Certain Penetration Testing will report the 'X-XSS-Protection' response header is returning the deprecated value '1; mode=block' for OCC API requests and Backoffice requests.
- In Mozilla MDN document, this feature is no longer recommended, in some cases, X-XSS-Protection can create XSS vulnerabilities.
- In Spring Security document, the default filter value 'X-XSS-Protection: 1; mode=block' is set to response header for filtering out reflected XSS attacks.
**Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.**
Read more...
Environment
- SAP Commerce Cloud
- SAP Commerce
Product
SAP Commerce Cloud all versions ; SAP Commerce all versions
Keywords
OCC API, Backoffice, 'X-XSS-Protection', response header, Penetration Testing, deprecated, '1; mode=block', 'backoffice.response.header.X-XSS-Protection', 'xss.filter.header.X-XSS-Protection' , KBA , CEC-SCC-PLA-PL , Platform , CEC-SCC-CDM-BO-FRW , Framework , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)