X-XSS Protection
Purpose
Why use this header at all?
Browsers can attempt to detect Cross-Site Scripting (XSS) and interactively filter or block the attack.
Recommendation
Consider the Impact of Compliance section below to see if this recommendation works for you.
Enable this header by setting a value of "1", and set another attribute to mode=block to have the browser discard the entire page if an attempt is detected.
Not all browsers support this, and not all attacks can be stopped... So ensure you still take precautions, and use this as a defense-in-depth approach. Content-Security-Policy values will replace this header in the future, and some browsers have had support removed.
Risk Mitigated
By following this recommendation, what risk is mitigated?
This directive can mitigate some types of XSS attacks.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
For most websites, there should be no impact.
Next Steps
What you can do to get there
You may use web server configuration, or settings within your programming language to disable or supress this header.
Example
What this header may look like when implemented securely
X-XSS-Protection: 1; mode=block
Read More!
Welcome! The library is new, and has some content to read over -- We'll be adding more soon!
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)
- Pragma
- Server
- X-Frame-Options
- X-Powered-By
- X-XSS-Protection