X-XSS Protection headers and Pulse 4.5.2

This is a bit of a long shot but here goes.

I built a site with Pulse 4.5.2 a few years ago and the client has recently moved the site to a new server. After testing the front and backend everything looked fine and the migration was signed off. A couple of months later the client started complaining that Pulse was 'crashing' and would lock her out of the site for 10-15 minutes while they tried to edit some content. I tried the site myself and it all appeared okay.

To cut a very long story short I managed to reproduce the issue and sure enough the server was throwing a 403 (the requested resource is forbidden) error which would not only lock the user out of Pulse but also anyone else from viewing the public side of the site.

It looks like this host is injecting a X-XSS Protection header into the site which Pulse maybe falling foul of. I suspect (but can't be sure at the moment) that Pulse is posting updated block or page data in a way that the server thinks could be suspicious and is shutting the site down for a cool off period.

I've asked the host to remove the X-XSS Protect headers to see if this helps but I suspect they won't do that as it is a shared hosting package.

Can anyone suggest where I might look in Pulse to see if the code could be improved to avoid (or maybe whitelist) these events? This may well have been fixed in Pulse 5 but unfortunately this site still uses Pulse 4.5.2.

Many thanks in advance (and thanks for getting this far) :slight_smile:

1 Like

I know I had issues like this with "base64_decode" which were finally fixed with version 4.7+ Because of the "obfuscated code" it would trigger the hosting companies security thinking it was some sort of malicious injected code.

1 Like

Thanks for the reply @Raimo I'll take a closer look at that part of the code.

1 Like

If this does not solve it, let me know, Tim.