http-xss-filter #

xss-nginx-module - Native cross-site scripting support in nginx

Source: upstream source

Directives

xss_callback_arg #

syntax: xss_callback_arg 1 arg (string);  ·  context: http, server, location, location-if

Stores a single string value.

xss_check_status #

syntax: xss_check_status on | off (on/off flag);  ·  context: http, server, location, location-if

Boolean directive — set to "on" or "off".

xss_get #

syntax: xss_get on | off;  ·  context: http, server, location, location-if

Enables JSONP-style wrapping of GET request responses for cross-origin data retrieval.

xss_input_types #

syntax: xss_input_types 1+ args;  ·  context: http, server, location, location-if

Specifies which MIME types are eligible for JSONP response wrapping.

xss_output_type #

syntax: xss_output_type 1+ args (string);  ·  context: http, server, location, location-if

Stores a single string value.

xss_override_status #

syntax: xss_override_status on | off (on/off flag);  ·  context: http, server, location, location-if

Boolean directive — set to "on" or "off".

Example

# accessing /foo?callback=process gives the response
# body "process(...);" (without quotes) where "..."
# is the original response body of the /foo location.
server {
    location /foo {
        # your content handler goes here...

        xss_get on;
        xss_callback_arg 'callback';
        xss_input_types 'application/json'; # default
        xss_output_type 'application/x-javascript'; # default
    }
    ...
}

↑ back to index