The HTTP X-XSS-Protection response header serves as a security feature in browsers such as Internet Explorer, Chrome, and Safari, designed to halt the loading of pages when reflected cross-site scripting (XSS) attacks are detected. However, in modern browsers, these protections often become redundant if a robust Content-Security-Policy is in place, particularly one that prohibits the use of inline JavaScript (‘unsafe-inline’).
Syntax
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>- 0 Disables XSS filtering.
- 1 Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
- 1; mode=block Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
- 1; report=<reporting-URI> (Chromium only) Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP
report-uridirective to send a report.