What are peoples thoughts on responding to these and how do we find out if they are true?

"Hi,

I found XSS bug issue in your domain, where to send details?

Do you have bug bounty?

Thanks!"

Sounds like spam to me. Personally, I would ignore it.

Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com

I always ignore unsolicited messages & they always end up in 'File 13', the bin! I always work on the principle that no one works for free / out of the goodness of their heart; there's usually a financial motive. Having said that, I am old & cynical but so far it has stood be in good stead

I always have this in my .htaccess file which protects against cross site scripting, page-framing and click-jacking & content sniffing.

If using Wordpress then the header Header always append X-Frame-Options SAMEORIGIN has been reported to cause the Theme Customizer site preview to go blank/not work. I can't say if that's right or wrong as I don't 'do' Wordpress


# Extra Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
</IfModule>

Steve
Bolton Lancashire

Thanks for the responses. I will do that.