Description
The HTTP X-XSS-Protection
response header, originally designed for Internet Explorer, Chrome, and Safari, aimed to mitigate reflected cross-site scripting (XSS) attacks. However, its effectiveness has diminished due to changes in browser behavior. Chrome has removed its XSS Auditor, Firefox does not and will not implement X-XSS-Protection, and Edge has retired its XSS filter. As a result, it is no longer recommended to rely solely on this header for XSS protection.
Recommendation
To enhance XSS protection, it is recommended not to send the X-XSS-Protection
header or explicitly set its value to 0
. Instead, use a modern Content Security Policy (CSP) without allowing unsafe-inline
scripts, which provides more robust protection against XSS attacks.
References
- Mozilla: Web Security
- Mozilla: X-XSS-Protection
- OWASP github: Remove X-XSS-Protection Response Header
- OWASP: Content Security Policy (CSP)
- CWE-16
- OWASP 2021-A5
Related Issues
- X-XSS-Protection Header is Missing - Vulnerability
- Content-Security-Policy Header is Missing - Vulnerability
- Public-Key-Pins Header is Set - Vulnerability
- X-Content-Type-Options Header is Missing - Vulnerability
- Tags:
- HTTP Headers
- Cross-Site Scripting (XSS)
- Content Security Policy
- Application Misconfiguration