X-XSS-Protection Header is Set

Impact: Informational


The HTTP X-XSS-Protection response header, originally designed for Internet Explorer, Chrome, and Safari, aimed to mitigate reflected cross-site scripting (XSS) attacks. However, its effectiveness has diminished due to changes in browser behavior. Chrome has removed its XSS Auditor, Firefox does not and will not implement X-XSS-Protection, and Edge has retired its XSS filter. As a result, it is no longer recommended to rely solely on this header for XSS protection.


To enhance XSS protection, it is recommended not to send the X-XSS-Protection header or explicitly set its value to 0. Instead, use a modern Content Security Policy (CSP) without allowing unsafe-inline scripts, which provides more robust protection against XSS attacks.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue