Open In App

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy

HTTP headers | X-XSS-Protection

HTTP headers are used to pass additional information with HTTP response or HTTP requests. The X-XSS-Protection in HTTP header is a feature that stops a page from loading when it detects XSS attacks. This feature is becoming unnecessary with increasing content-security-policy of sites.

XSS attacks: The XSS stands for Cross-site Scripting. In this attack, the procedure is to bypass the Same-origin policy into vulnerable web applications. When the HTML code generated dynamically and the user input is not sanitized only then the attacker can use this attack. In this attack, an attacker can insert his own HTML code into the webpage which will be not detected by the browsers. For his own HTML code attacker can easily gain access to the database and the cookies. To stop this kind of attacks X-XSS Protection was used in previous days.



Syntax: 

X-XSS-Protection: directive

Type of XSS Attack: Cross site scripting attacks are broadly classified into two categories.  



Directives: In this headers filed there are four directives:  

Example 1: Block pages from loading when they detect reflected Cross-site Scripting attacks:  




// It enable the protection
X-XSS-Protection: 1; mode=block
   
// It disable the protection
X-XSS-Protection: 0
 





                        









Example 2: This will work on an apache server. 
















                                    



                                    




                                    




                                    


                                




















<IfModule mod_headers.c>  




  Header set X-XSS-Protection "1; mode=block"  




</IfModule>



















                        






                        









Example 3: This will work on Nginx server. 
















                                    



                                    




                                    




                                    


                                



















add_header "X-XSS-Protection" "1; mode=block";


















                        






                        









Supported Browsers: The browsers supported by HTTP headers X-XSS-Protection are listed below: 


 

	

        Article Tags : 
        

            Web Technologies        


		
	

	


      

      

          
Recommended Articles

      

      

          
          
1. HTTP headers | Access-Control-Expose-Headers

          
2. HTTP headers | Access-Control-Allow-Headers.

          
3. HTTP headers | Access-Control-Request-Headers

          
4. What are some attributes that help to safeguard HTTP cookies from XSS attacks ?

          
5. HTTP headers | Location

          
6. HTTP headers | User-Agent

          
7. HTTP headers | Link

          
8. HTTP headers | Save-Data

          
9. HTTP headers | Content-Type

          
10. HTTP headers | X-Forwarded-Proto

          
11. HTTP headers | X-Frame-Options

          
12. HTTP headers | Last-Modified

          
13. HTTP headers | Date

          
14. HTTP headers | Cookie

          
15. HTTP headers | Strict-Transport-Security

          
16. HTTP headers | Expect

          
17. HTTP headers | Accept-Encoding

          
18. HTTP headers | Proxy-Authenticate

          
19. HTTP headers | Content-Range

          
20. HTTP headers | Content-Encoding

          
21. HTTP headers | Content-Language

          
22. HTTP headers | X-Content-Type-Options

          
23. HTTP headers | Content-Length

          
24. HTTP headers | Via

          
25. HTTP headers | Accept-Ranges