Directive Reference

xss_input_types

The xss_input_types directive specifies which MIME types to process for cross-site scripting support in NGINX.

Native cross-site scripting support in NGINX · httpserverlocationif in location
Syntaxxss_input_types mime-type ...;
Defaultapplication/json
Contexthttp, server, location, if in location
Arguments1+

Description

The xss_input_types directive configures the NGINX server to only process the responses of specified MIME types when handling cross-site AJAX requests. The directive accepts one or more MIME type arguments and is applicable in the http, server, location, and if in location contexts. It is a critical feature part of cross-site AJAX support, enabling JSONP functionalities by ensuring only specific content types are considered for script modification. By default, the module includes application/json as a recognized input type, which allows it to process responses specifically tailored for JSONP, while ignoring others that might not be suitable for this purpose.

Config Example

server {
    location /foo {
        xss_get on;
        xss_input_types application/json text/plain;
    }
}

Ensure that you provide valid MIME types; misspellings will cause the directive to not work as expected.

Remember to include all required MIME types; if you exclude a necessary type, valid responses may be ignored.

Related Directives

xss_getxss_callback_argxss_output_typexss_check_statusxss_override_status
← Back to all directives