Add example for X-XSS-Protection to conf.d/security.

2 files changed, 11 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index deb76f60..b5bfe58d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ apache2 (2.2.22-8) UNRELEASED; urgency=medium
   * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent
     a possible XSS for a site where untrusted users can upload files to a
     location with MultiViews enabled.
+  * Add example for X-XSS-Protection to conf.d/security.
 
   [ Arno Töll ]
   * Fix "contradictory comment in /etc/apache2/apache2.conf about the
diff --git a/debian/config-dir/conf.d/security b/debian/config-dir/conf.d/security
index 483e4827..b0d46227 100644
--- a/debian/config-dir/conf.d/security
+++ b/debian/config-dir/conf.d/security
@@ -68,6 +68,16 @@ TraceEnable Off
 #Header set X-Content-Type-Options: "nosniff"
 
 #
+# Some browsers have a built-in XSS filter that will detect some cross site
+# scripting attacks. By default, these browsers the the suspicious part of
+# the page and display the result. This behavior can create various problems
+# including new security issues. This header will tell the XSS filter to
+# completely block access to the page instead.
+# Requires mod_headers to be enabled.
+#
+#Header set X-XSS-Protection: "1; mode=block"
+
+#
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.