XSS and XSRF Prevention
Stay organized with collections
Save and categorize content based on your preferences.
To protect against cross-site scripting (XSS), requires the HTTP header X-Content-Type-Options: nosniff
for all responses. Also include Content-Type: application/json; charset=utf-8
in the response header.
To protect against cross-site request forgery (XSRF), requires the HTTP header X-XSRF-Protected: 1
for all requests.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-09 UTC.
[null,null,["Last updated 2024-10-09 UTC."],[],["Responses should include `X-Content-Type-Options: nosniff` and `Content-Type: application/json; charset=utf-8` headers to prevent cross-site scripting (XSS). To prevent cross-site request forgery (XSRF), all requests must include the `X-XSRF-Protected: 1` header. These actions enhance security by ensuring content types are strictly interpreted and verifying the origin of requests, thus mitigating common web vulnerabilities.\n"],null,[]]