XSS and XSRF Prevention
To protect against cross-site scripting (XSS), requires the HTTP header X-Content-Type-Options: nosniff
for all responses. Also include Content-Type: application/json; charset=utf-8
in the response header.
To protect against cross-site request forgery (XSRF), requires the HTTP header X-XSRF-Protected: 1
for all requests.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-09 UTC.
[null,null,["Last updated 2024-10-09 UTC."],[[["All responses must include the `X-Content-Type-Options: nosniff` and `Content-Type: application/json; charset=utf-8` headers to mitigate cross-site scripting (XSS) vulnerabilities."],["All requests must include the `X-XSRF-Protected: 1` header to defend against cross-site request forgery (XSRF) attacks."]]],["Responses should include `X-Content-Type-Options: nosniff` and `Content-Type: application/json; charset=utf-8` headers to prevent cross-site scripting (XSS). To prevent cross-site request forgery (XSRF), all requests must include the `X-XSRF-Protected: 1` header. These actions enhance security by ensuring content types are strictly interpreted and verifying the origin of requests, thus mitigating common web vulnerabilities.\n"]]