The HTTP X-XSS-Protection
response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy
that disables the use of inline JavaScript ('unsafe-inline'
), they can still provide protections for users of older web browsers that don't yet support CSP.
Header type | Response header |
---|---|
Forbidden header name | no |
X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=<reporting-uri>
report-uri
directive to send a report.Block pages from loading when they detect reflected XSS attacks:
X-XSS-Protection: 1; mode=block
PHP
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
Nginx
add_header "X-XSS-Protection" "1; mode=block";
Not part of any specifications or drafts.
Desktop | ||||||
---|---|---|---|---|---|---|
Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | |
Basic support | Yes | Yes | No | 8 | Yes | Yes |
Mobile | |||||||
---|---|---|---|---|---|---|---|
Android webview | Chrome for Android | Edge Mobile | Firefox for Android | Opera for Android | iOS Safari | Samsung Internet | |
Basic support | Yes | Yes | Yes | No | Yes | Yes | Yes |
Content-Security-Policy
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection