XSS and XSRF Prevention

To protect against cross-site scripting (XSS), requires the HTTP header X-Content-Type-Options: nosniff for all responses. Also include Content-Type: application/json; charset=utf-8 in the response header.

To protect against cross-site request forgery (XSRF), requires the HTTP header X-XSRF-Protected: 1 for all requests.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-10-09 UTC.