X-XSS-ProtectionX-XSS-Protection controlled the behavior of a reflected-XSS auditor (filter) that some browsers once built in. That filter has since been deprecated because it could itself create security holes, and the recommended setting is to turn it off with X-XSS-Protection: 0.
Older Internet Explorer and Chrome/Safari shipped a heuristic filter that suspected XSS when request parameters were reflected verbatim into the response and blocked them. X-XSS-Protection: 1; mode=block was once recommended, but the filter broke legitimate pages via false positives and, more seriously, let attackers abuse its behavior to selectively neutralize scripts or leak information, creating new vulnerabilities (e.g. cross-site information leaks).
For these reasons Chrome removed the XSS Auditor entirely, Firefox never implemented it, and Edge removed it too. So the 1-family values of this header are mostly ignored by modern browsers, or enable a dangerous filter only in old ones.
Today's recommended setup is X-XSS-Protection: 0 to explicitly disable any lingering legacy filter, while real XSS defense rests on Content-Security-Policy (especially nonce/hash-based script-src) plus server-side output encoding and input validation. This header is a rare case where 'set it, but to 0' is the right answer.
X-XSS-Protection: <0 | 1 | 1; mode=block | 1; report=<url>>e.g. X-XSS-Protection: 0
0 | Disables the browser's built-in XSS auditor (filter). The modern recommended value. |
1 | Enables the filter (legacy browsers); neutralizes suspicious parts on detection. |
1; mode=block | Blocks rendering the whole page on detection; once recommended but abandoned due to side effects. |
1; report=<url> | Reports to the given URL on detection (Chromium-only, deprecated). |