Directive Reference

xss_check_status

The `xss_check_status` directive controls response processing based on HTTP status codes for cross-site scripting protections in NGINX.

Native cross-site scripting support in NGINX · httpserverlocationif in location
Syntaxxss_check_status on | off;
Defaulton
Contexthttp, server, location, if in location
Argumentsflag

Description

The xss_check_status directive in the NGINX xss-nginx-module allows administrators to specify whether the module should check the HTTP status codes of responses. By default, the module only processes responses with the status code 200 or 201, indicating a successful request. This behavior enhances security by ensuring that only valid and expected responses are processed for JSONP support, protecting against potential cross-site scripting attacks. If the directive is set to 'off', the module will not restrict processing to just successful statuses, potentially exposing endpoints to non-desired responses being processed as valid. The directive takes a boolean flag as an argument, either 'on' or 'off', and can be used within various NGINX contexts such as http, server, location, or 'if' within a location block.

Config Example

location /example {
    xss_get on;
    xss_check_status on;
}

Setting xss_check_status to 'off' can permit undesired HTTP response statuses to be processed, potentially increasing vulnerability to XSS attacks.

Not configuring this directive correctly may lead to unexpected behaviors in response handling, especially in security-sensitive applications.

Related Directives

xss_getxss_callback_argxss_input_types
← Back to all directives