# XSS Analyzer

Category Severity Time To Fix
🛡️ Security Major 5 minutes

Class: Enlightn\Enlightn\Analyzers\Security\XSSAnalyzer

# Introduction

This analyzer checks whether your application sets an appropriate Content-Security-Policy header to protect against XSS attacks.

If your application does not set this header (with at least a default-src or script-src directive) or includes an unsafe-eval or unsafe-inline source, this analyzer would result in a failure.

# How To Set The Content-Security-Policy Header

You can add the Content-Security-Policy header in your web server configuration.

For Nginx, you may use the add_header directive in your server or location block:

add_header Content-Security-Policy "default-src 'self';";

For Apache, you may use the Header directive in your <VirtualHost>, <Directory> or <Location> container:

Header always set Content-Security-Policy "default-src 'self';"


Note that the header above is just an example. Make sure to read the content security policy documentation in the links below to understand what directives and sources would be valid for your application.

If you miss certain sources, it may mean that some of your JS scripts or CSS styles may not apply properly. Make sure to open the Developer Console in your browser to confirm there are no errors after your configuration is complete.

# Skip Condition

This analyzer is skipped for local environments (if the skip_env_specific configuration option is set to true) or if your app is stateless (does not use the StartSession middleware).

# References