xss_override_status
The xss_override_status directive modifies the HTTP response status codes for cross-site scripting protections.
Description
The xss_override_status directive allows you to control the HTTP response status codes sent back to clients for cross-site requests that would typically return 30x, 40x, or 50x statuses. When this directive is set to on, any such response status is overridden to return a 200 OK status code instead. This behavior is particularly useful for ensuring that JSONP requests, which are common in scenarios requiring cross-origin resource sharing, are handled smoothly without disruptions caused by error status codes. It effectively allows the frontend application to continue functioning without interruption due to HTTP errors.
This directive is part of the xss module, which enhances NGINX's capabilities to handle certain cross-site scripting (XSS) scenarios. Typically, the module is configured to revert to a default mechanism where only responses with 200 or 201 status codes are processed by JSONP-like callbacks. However, with xss_override_status enabled, developers can return a controlled 200 status even if the original processing returns various error statuses, helping to provide seamless user experiences in web applications that rely on asynchronous data fetching from different origins.
Config Example
server {
location /api {
xss_get on;
xss_override_status on;
}
}Setting this directive to 'on' can mask underlying issues with the request processing that typically should return a different status code, potentially leading to misleading client-side behavior.
Ensure that overriding status codes does not conflict with your application's error handling strategy, as it might hide real errors.