X-XSS-Protection Header is Set
Impact: Informational
Description
The HTTP X-XSS-Protection
response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Mozilla
- Chrome has removed their XSS Auditor
- Firefox has not, and will not implement X-XSS-Protection
- Edge has retired their XSS filter
This means that if you do not need to support legacy browsers, it is recommended that you use
Content-Security-Policy
without allowingunsafe-inline
scripts instead.
Recommendation
Do not send this header or set 0
as value.
References
- Mozilla: Web Security
- Mozilla: X-XSS-Protection
- OWASP github: Remove X-XSS-Protection Response Header
👉 You might also like:
X-XSS-Protection Header is Missing - Vulnerability
Public-Key-Pins Header is Set - Vulnerability
X-Content-Type-Options Header is Missing - Vulnerability
X-Frame-Options Header is Missing - Vulnerability
Last updated on November 10, 2021