The HTTP X-XSS-Protection
response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy
that disables the use of inline JavaScript ('unsafe-inline'
), they can still provide protections for users of older web browsers that don't yet support CSP.
- Chrome has removed their XSS Auditor
- Firefox have not, and will not implement
X-XSS-Protection
- Edge have retired their XSS filter
This means that if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy
without allowing unsafe-inline
scripts instead.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=<reporting-uri>
- 0
- Disables XSS filtering.
- 1
- Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
- 1; mode=block
- Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
- 1; report=<reporting-URI> (Chromium only)
- Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP
report-uri
directive to send a report.
Example
Block pages from loading when they detect reflected XSS attacks:
X-XSS-Protection: 1; mode=block
PHP
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
Nginx
add_header "X-XSS-Protection" "1; mode=block";
Specifications
Not part of any specifications or drafts.
Browser compatibility
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
X-XSS-Protection | Chrome No support 4 — 78 | Edge No support 12 — 17 | Firefox No support No | IE Full support 8 | Opera No support ? — 65 | Safari Full support Yes | WebView Android No support No | Chrome Android No support ? — 78 | Firefox Android No support No | Opera Android No support ? — 56 | Safari iOS Full support Yes | Samsung Internet Android Full support Yes |
Legend
- Full support
- Full support
- No support
- No support
- Non-standard. Expect poor cross-browser support.
- Non-standard. Expect poor cross-browser support.