XSS and XSRF Prevention
Stay organized with collections
Save and categorize content based on your preferences.
To protect against cross-site scripting (XSS), requires the HTTP header X-Content-Type-Options: nosniff for all responses. Also include Content-Type: application/json; charset=utf-8 in the response header.
To protect against cross-site request forgery (XSRF), requires the HTTP header X-XSRF-Protected: 1 for all requests.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-09 UTC.
[null,null,["Last updated 2024-10-09 UTC."],[[["\u003cp\u003eAll responses must include the \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e and \u003ccode\u003eContent-Type: application/json; charset=utf-8\u003c/code\u003e headers to mitigate cross-site scripting (XSS) vulnerabilities.\u003c/p\u003e\n"],["\u003cp\u003eAll requests must include the \u003ccode\u003eX-XSRF-Protected: 1\u003c/code\u003e header to defend against cross-site request forgery (XSRF) attacks.\u003c/p\u003e\n"]]],["Responses should include `X-Content-Type-Options: nosniff` and `Content-Type: application/json; charset=utf-8` headers to prevent cross-site scripting (XSS). To prevent cross-site request forgery (XSRF), all requests must include the `X-XSRF-Protected: 1` header. These actions enhance security by ensuring content types are strictly interpreted and verifying the origin of requests, thus mitigating common web vulnerabilities.\n"],null,["# XSS and XSRF Prevention\n\nTo protect against cross-site scripting (XSS), requires the HTTP header `X-Content-Type-Options: nosniff` for all responses. Also include `Content-Type: application/json; charset=utf-8` in the response header.\n\nTo protect against cross-site request forgery (XSRF), requires the HTTP header `X-XSRF-Protected: 1` for all requests."]]
