X-XSS-Protection
Response header Security

Overview

X-XSS-Protection controlled the behavior of a reflected-XSS auditor (filter) that some browsers once built in. That filter has since been deprecated because it could itself create security holes, and the recommended setting is to turn it off with X-XSS-Protection: 0.

Details

Older Internet Explorer and Chrome/Safari shipped a heuristic filter that suspected XSS when request parameters were reflected verbatim into the response and blocked them. X-XSS-Protection: 1; mode=block was once recommended, but the filter broke legitimate pages via false positives and, more seriously, let attackers abuse its behavior to selectively neutralize scripts or leak information, creating new vulnerabilities (e.g. cross-site information leaks).

For these reasons Chrome removed the XSS Auditor entirely, Firefox never implemented it, and Edge removed it too. So the 1-family values of this header are mostly ignored by modern browsers, or enable a dangerous filter only in old ones.

Today's recommended setup is X-XSS-Protection: 0 to explicitly disable any lingering legacy filter, while real XSS defense rests on Content-Security-Policy (especially nonce/hash-based script-src) plus server-side output encoding and input validation. This header is a rare case where 'set it, but to 0' is the right answer.

Syntax

X-XSS-Protection: <0 | 1 | 1; mode=block | 1; report=<url>>

e.g. X-XSS-Protection: 0

Directives / values

0Disables the browser's built-in XSS auditor (filter). The modern recommended value.
1Enables the filter (legacy browsers); neutralizes suspicious parts on detection.
1; mode=blockBlocks rendering the whole page on detection; once recommended but abandoned due to side effects.
1; report=<url>Reports to the given URL on detection (Chromium-only, deprecated).

Notes

Related headers

Related status codes

Specification