Vulnerabilities/

X-XSS-Protection Header is Set

Impact: Informational

Description

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Mozilla

  • Chrome has removed their XSS Auditor
  • Firefox has not, and will not implement X-XSS-Protection
  • Edge has retired their XSS filter

This means that if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead.

Recommendation

Do not send this header or set 0 as value.

References

Last updated on November 10, 2021

Use SmartScanner Free version to test for this issue

Download