X-XSS-Protection Header Explained
X-XSS-Protection is a legacy HTTP response header that controlled the browser's built-in XSS filter. Modern browsers have removed this filter entirely. The recommended setting is now X-XSS-Protection: 0 to explicitly disable it, because the filter itself introduced vulnerabilities in some cases. Use Content-Security-Policy instead for XSS protection.
Recommended Value
X-XSS-Protection: 0What Each Directive Does
| Directive | Purpose |
|---|---|
0 | Disable the XSS filter (recommended — the filter is removed in modern browsers) |
1 | Enable the XSS filter (legacy, not recommended) |
1; mode=block | Enable and block the entire page on detection (legacy, not recommended) |
What Happens Without This Header
The X-XSS-Protection filter was itself vulnerable to exploitation. Attackers could abuse the filter to selectively disable legitimate scripts on a page, creating new vulnerabilities. Chrome removed the XSS Auditor in Chrome 78 (2019), and no modern browser supports it. Use CSP instead.
How to Implement
# Nginx — disable legacy filter
add_header X-XSS-Protection "0" always;
# Apache
Header always set X-XSS-Protection "0"
# Express.js
app.use((req, res, next) => {
res.setHeader('X-XSS-Protection', '0');
next();
});
// Instead, use CSP for XSS protection:
// Content-Security-Policy: script-src 'self'Testing and Report-Only
X-XSS-Protection has no report-only mode. More importantly, it should be set to 0 (disabled) and replaced with Content-Security-Policy for actual XSS protection.
Related Questions
Scan your system prompt with LochBot — free, client-side, no data sent anywhere.