From 2471221bda9dda556e475895ad6cb2c5d843012a Mon Sep 17 00:00:00 2001
From: jomu <jomu@711a9084-f618-47a6-a783-754c49204487>
Date: Thu, 22 Sep 2016 08:09:16 +0000
Subject: [PATCH] added X-XSS-Protection header

---
 .../de/muehlencord/shared/jeeutil/OwaspStandardFilter.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
index 6e7f699..ad7ec53 100644
--- a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
@@ -46,6 +46,9 @@ public class OwaspStandardFilter implements Filter {
         HttpServletResponse res = (HttpServletResponse) response;
         // X-FRAME-OPTIONS: Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch
         res.addHeader("X-FRAME-OPTIONS", mode);
+        
+        // Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
+        res.addHeader("X-XSS-Protection", "1");
 
         // X-Content-Type-Options the only defined value, "nosniff", 
         // The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.