X-XSS-Protection Header is Missing

Description

This issue has been retired in favour of X-XSS-Protection Header is Set

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. ^Mozilla

Recommendation

Configure your server to send this header for all pages. You can see references for possible values.

References

• Mozilla: Web Security
• Mozilla: X-XSS-Protection
• OWASP github: Remove X-XSS-Protection Response Header
• CWE-16
• OWASP 2021-A5

Related Issues

• X-XSS-Protection Header is Set - Vulnerability
• Content-Security-Policy Header is Missing - Vulnerability
• X-Content-Type-Options Header is Missing - Vulnerability
• X-Frame-Options Header is Missing - Vulnerability

Tags:

HTTP Headers

Cross Site Scripting (XSS)

Application Misconfiguration