XSS and XSRF Prevention
To protect against cross-site scripting (XSS), requires the HTTP header X-Content-Type-Options: nosniff for all responses. Also include Content-Type: application/json; charset=utf-8 in the response header.
To protect against cross-site request forgery (XSRF), requires the HTTP header X-XSRF-Protected: 1 for all requests.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-09 UTC.
[null,null,["Last updated 2024-10-09 UTC."],[[["All responses must include the `X-Content-Type-Options: nosniff` and `Content-Type: application/json; charset=utf-8` headers to mitigate cross-site scripting (XSS) vulnerabilities."],["All requests must include the `X-XSRF-Protected: 1` header to defend against cross-site request forgery (XSRF) attacks."]]],[]]
