Open In App
Related Articles

HTTP headers | X-XSS-Protection

Improve Article
Save Article
Like Article

HTTP headers are used to pass additional information with HTTP response or HTTP requests. The X-XSS-Protection in HTTP header is a feature that stops a page from loading when it detects XSS attacks. This feature is becoming unnecessary with increasing content-security-policy of sites.

XSS attacks: The XSS stands for Cross-site Scripting. In this attack, the procedure is to bypass the Same-origin policy into vulnerable web applications. When the HTML code generated dynamically and the user input is not sanitized only then the attacker can use this attack. In this attack, an attacker can insert his own HTML code into the webpage which will be not detected by the browsers. For his own HTML code attacker can easily gain access to the database and the cookies. To stop this kind of attacks X-XSS Protection was used in previous days.


X-XSS-Protection: directive

Type of XSS Attack: Cross site scripting attacks are broadly classified into two categories.  

  • Server XSS: In this type of attack hacker attaches untrusted data with the HTML response. In this case, vulnerability is present at the server end and the browser just runs the script present in the response.
  • Client XSS: In this type of XSS attack unsafe javascript is used to update the DOM data. If we add javascript code in DOM with a javascript call, such a javascript call is called an unsafe javascript call.

Directives: In this headers filed there are four directives:  

  • 0: It disables the X-XSS-Protection.
  • 1: It is the by default directive and enables the X-XSS-Protection.
  • 1; mode=block: It enables the X-XSS-Protection. If the browser detects an attack, it will not render the page.
  • 1; report=<reporting-URI>: It enables the X-XSS-Protection. If the Cross-site Scripting attack detected then the page will be sanitizes and reported by report-uri directive.

Example 1: Block pages from loading when they detect reflected Cross-site Scripting attacks:  


// It enable the protection
X-XSS-Protection: 1; mode=block
// It disable the protection
X-XSS-Protection: 0

Example 2: This will work on an apache server. 


<IfModule mod_headers.c> 
  Header set X-XSS-Protection "1; mode=block" 

Example 3: This will work on Nginx server. 


add_header "X-XSS-Protection" "1; mode=block";

Supported Browsers: The browsers supported by HTTP headers X-XSS-Protection are listed below: 

  • Google Chrome
  • Internet Explorer
  • Safari
  • Opera


Last Updated : 10 Jan, 2022
Like Article
Save Article
Similar Reads
Related Tutorials