Skip to content

X-XSS-Protection

Description

The X-XSS-Protection response header is a feature of some browsers that helps prevent certain types of cross-site scripting (XSS) attacks. When enabled, this security mechanism can detect and block reflected XSS attacks by preventing the page from loading when potential XSS attacks are detected.

Cross-site scripting (XSS) attacks occur when an attacker injects malicious client-side scripts into web pages, which are then executed by the browsers of other users. Reflected XSS attacks involve malicious scripts being reflected off a web server, such as in search results or error messages that include user-supplied data.

It's important to note that while this header adds another layer of security, modern browsers are moving away from this feature in favor of more robust protections like Content Security Policy (CSP). The X-XSS-Protection header is considered a legacy security header but is still useful for supporting older browsers.

Syntax

The syntax of the X-XSS-Protection header follows this structure:

X-XSS-Protection: <directive>

The following directives are available:

  • 0: Disables XSS filtering
  • 1: Enables XSS filtering (usually default in supporting browsers)
  • 1; mode=block: Enables XSS filtering and prevents rendering of the page if an attack is detected
  • 1; report=<reporting-URI>: Enables XSS filtering and reports violations (this is a Chromium-specific extension)

Example Syntax

X-XSS-Protection: 1; mode=block

This example enables XSS filtering and prevents the page from loading if an attack is detected.

Examples

Basic Protection Example

A response with basic XSS protection:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 03:00:00 GMT
Content-Type: text/html; charset=UTF-8
X-XSS-Protection: 1
Content-Length: 1234

<!DOCTYPE html>
<html>
<head><title>Protected Page</title></head>
<body>
  <h1>User Input Reflection</h1>
  <p>You searched for: <span id="searchTerm">user input</span></p>
</body>
</html>

In this example, the browser's XSS filter is enabled, which will attempt to detect and sanitize reflected XSS attacks.

Block Mode Example

A response with XSS protection in block mode:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 03:10:30 GMT
Content-Type: text/html; charset=UTF-8
X-XSS-Protection: 1; mode=block
Content-Length: 1345

<!DOCTYPE html>
<html>
<head><title>Strongly Protected Page</title></head>
<body>
  <h1>User Forum</h1>
  <div id="userComments">
    <p>User comments will be displayed here.</p>
  </div>
</body>
</html>

In this example, the browser's XSS filter is configured to completely block rendering of the page if a reflected XSS attack is detected, rather than attempting to sanitize the attack.

Reporting Example

A response with XSS protection that includes reporting:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 03:20:45 GMT
Content-Type: text/html; charset=UTF-8
X-XSS-Protection: 1; report=/xss-report
Content-Length: 1456

<!DOCTYPE html>
<html>
<head><title>Page with XSS Reporting</title></head>
<body>
  <h1>User Input Form</h1>
  <form action="/process" method="post">
    <input type="text" name="userInput">
    <button type="submit">Submit</button>
  </form>
</body>
</html>

In this example (supported by some Chrome-based browsers), the XSS filter will report detected attacks to the specified endpoint while also applying protection.

Comprehensive Security Headers Example

A response with multiple security headers:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 03:30:15 GMT
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 2345

<!DOCTYPE html>
<html>
<head><title>Highly Secured Page</title></head>
<body>
  <h1>Security Demo</h1>
  <p>This page implements multiple security headers for comprehensive protection.</p>
</body>
</html>

This example shows X-XSS-Protection being used alongside other security headers as part of a defense-in-depth strategy. Modern security best practices recommend using Content Security Policy as the primary defense against XSS, with X-XSS-Protection as an additional layer.

Summary

The X-XSS-Protection response header provides an additional layer of security against reflected XSS attacks in browsers that support it. While it should not be relied upon as the sole defense against XSS vulnerabilities, it can be a useful component in a comprehensive security strategy, especially when supporting older browsers.

Modern web applications should primarily rely on a well-configured Content Security Policy, proper input validation and output encoding, and other security measures to prevent XSS attacks. However, including the X-XSS-Protection header set to 1; mode=block is still recommended as part of a defense-in-depth approach to security. It's worth noting that newer browsers like Chrome have deprecated this feature in favor of more robust solutions, but the header remains harmless to include and beneficial for users of older or alternative browsers that still support it.