X-XSS-Protection

We know that inline javascript code execution causes XSS (i.e. cross site scripting), hence to fight this at browser level X-XSS-Protection header was introduced. This header is enabled by default on browsers chrome, IE and safari but to enforce it its better to enabled it. Firefox does not support this HTTP header as it makes use of CSP (Content Security Policy) to provide protection. This header will be replaced by CSP HTTP header as it can disable “unsafe-inline” javascripts. Not all browser support the CSP fully, hence its better to use X-XSS-Protection along with CSP.

NOTE: X-XSS-Protection makes use of XSS filter in the browser and is supported by legacy browser. It is being disabled/depreciated in the most modern browsers and is being replaced by CSP (Content Security Policy). Unless you are working with a old version of browser, go with CSP header instead.

You can find following configuration for X-XSS-Protection header:

X-XSS-Protection: 0
This setting will disable X-XSS-Protecton header and the page will not be tested for in-line javascripts

X-XSS-Protection: 1
Enables XSS filter and if a cross-site scritpting attempt is detected, it is sanitized and page is loaded

X-XSS-Protection: 1; mode=block
Enable XSS filter and if cross-site attack is detected do not load the webpage

X-XSS-Protection: 1, report=
Enables XSS filter and if a cross-site scritpting attempt is detected, it is sanitized and page is loaded. Also a report is sent to the defined report-uri

More information can be found in the following URL:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

If you are interested in configuring X-XSS-Protection header for your webserver, then you can check out the following site:
https://www.keycdn.com/blog/x-xss-protection

Leave a Reply

Your email address will not be published. Required fields are marked *

RSS