Description
This issue has been retired in favour of X-XSS-Protection Header is Set
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Mozilla
Recommendation
Configure your server to send this header for all pages. You can see references for possible values.
References
- Mozilla: Web Security
- Mozilla: X-XSS-Protection
- OWASP github: Remove X-XSS-Protection Response Header
- CWE-16
- OWASP 2021-A5
Related Issues
- X-XSS-Protection Header is Set - Vulnerability
- Content-Security-Policy Header is Missing - Vulnerability
- X-Content-Type-Options Header is Missing - Vulnerability
- X-Frame-Options Header is Missing - Vulnerability
- Tags:
- HTTP Headers
- Cross Site Scripting (XSS)
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024