-
which versions are you using Community Build–>25.6.0
-
how is SonarQube deployed: Docker
-
what are you trying to achieve: After deploying it via Dockerfile to a platform ,an url will be generated. But if we click on the inspect in the page , in network –>Sonarqube folder–>in the headers section xss protection is Zero.
Observation states that we might need to make sure xss protection is 1 , to secure our application from cross-site hijack.
-
Please let us know if this is not configured to secure this cross site hijack thing ,are there any impact ? If yes what are the mitigation steps we need to follow?
I suppose you’re talking about the non-standard X-XSS-Protection, which is mostly ineffective now since most browsers simply ignore it. It has been replaced by Content-Security-Policy.
Anyway, it’s a good practice to put SonarQube behind a reverse proxy like nginx. If you really need to add a useless header like this one you can do it there.