X-XSS-Protection

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

Header type Response header
Forbidden header name no

Syntax

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
0
Disables XSS filtering.
1
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1; mode=block
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-URI>  (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.

Example

Block pages from loading when they detect reflected XSS attacks:

X-XSS-Protection: 1; mode=block

PHP

header("X-XSS-Protection: 1; mode=block");

Apache (.htaccess)

<IfModule mod_headers.c> 
  Header set X-XSS-Protection "1; mode=block" 
</IfModule>

Specifications

Not part of any specifications or drafts.

Browser compatibility

FeatureChromeFirefoxEdgeInternet ExplorerOperaSafari
Basic Support(Yes)(No)(Yes)8.0(Yes)(Yes)
FeatureAndroidChrome for AndroidEdge mobileFirefox for AndroidIE mobileOpera AndroidiOS Safari
Basic Support(Yes)(Yes)(Yes)(No)?(Yes)(Yes)

See also

Document Tags and Contributors

Tags: 
 Contributors to this page: arthurwhite, fscholz
 Last updated by: arthurwhite,