XSS and XSRF Prevention
Stay organized with collections
Save and categorize content based on your preferences.
To protect against cross-site scripting (XSS), requires the HTTP header X-Content-Type-Options: nosniff
for all responses. Also include Content-Type: application/json; charset=utf-8
in the response header.
To protect against cross-site request forgery (XSRF), requires the HTTP header X-XSRF-Protected: 1
for all requests.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License
, and code samples are licensed under the Apache 2.0 License
. For details, see the Google Developers Site Policies
. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-09 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-09 UTC."],[[["\u003cp\u003eAll responses must include the \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e and \u003ccode\u003eContent-Type: application/json; charset=utf-8\u003c/code\u003e headers to mitigate cross-site scripting (XSS) vulnerabilities.\u003c/p\u003e\n"],["\u003cp\u003eAll requests must include the \u003ccode\u003eX-XSRF-Protected: 1\u003c/code\u003e header to defend against cross-site request forgery (XSRF) attacks.\u003c/p\u003e\n"]]],["Responses should include `X-Content-Type-Options: nosniff` and `Content-Type: application/json; charset=utf-8` headers to prevent cross-site scripting (XSS). To prevent cross-site request forgery (XSRF), all requests must include the `X-XSRF-Protected: 1` header. These actions enhance security by ensuring content types are strictly interpreted and verifying the origin of requests, thus mitigating common web vulnerabilities.\n"],null,["# XSS and XSRF Prevention\n\nTo protect against cross-site scripting (XSS), requires the HTTP header `X-Content-Type-Options: nosniff` for all responses. Also include `Content-Type: application/json; charset=utf-8` in the response header.\n\nTo protect against cross-site request forgery (XSRF), requires the HTTP header `X-XSRF-Protected: 1` for all requests."]]
