# XSS Analyzer
| Category | Severity | Time To Fix |
|---|---|---|
| 🛡️ Security | Major | 5 minutes |
Class: Enlightn\Enlightn\Analyzers\Security\XSSAnalyzer
# Introduction
This analyzer checks whether your application sets an appropriate Content-Security-Policy header to protect against XSS attacks.
If your application does not set this header (with at least a default-src or script-src directive) or includes an unsafe-eval or unsafe-inline source, this analyzer would result in a failure.
# How To Set The Content-Security-Policy Header
You can add the Content-Security-Policy header in your web server configuration.
For Nginx, you may use the add_header directive in your server or location block:
add_header Content-Security-Policy "default-src 'self';";
For Apache, you may use the Header directive in your <VirtualHost>, <Directory> or <Location> container:
Header always set Content-Security-Policy "default-src 'self';"
WARNING
Note that the header above is just an example. Make sure to read the content security policy documentation in the links below to understand what directives and sources would be valid for your application.
If you miss certain sources, it may mean that some of your JS scripts or CSS styles may not apply properly. Make sure to open the Developer Console in your browser to confirm there are no errors after your configuration is complete.
# Skip Condition
This analyzer is skipped for local environments (if the skip_env_specific configuration option is set to true) or if your app is stateless (does not use the StartSession middleware).
# References
- Introduction to the Content-Security-Policy Header (opens new window)
- Google's Guide to Content Security Policy (opens new window)
- OWASP Introduction to Content Security Policy (opens new window)
- OWASP Content Security Policy Cheatsheet (opens new window)
- Nginx Add Header Directive (opens new window)
- Apache Header Directive (opens new window)