Revision 1144041 of X-XSS-Protection

  • Revision slug: Web/HTTP/Headers/X-XSS-Protection
  • Revision title: X-XSS-Protection
  • Revision id: 1144041
  • Created:
  • Creator: fscholz
  • Is current revision? Yes
  • Comment new page
Tags: 

Revision Content
{{HTTPSidebar}}

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting ({{Glossary("XSS")}}) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong {{HTTPHeader("Content-Security-Policy")}} that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support {{Glossary("CSP")}}.

Header type {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}} no

Syntax

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
0
Disables XSS filtering.
1
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1;mode=block
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-URI>  (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP {{CSP("report-uri")}} directive to send a report.

Example

Block pages from loading when they detect reflected XSS attacks:

X-XSS-Protection: 1;mode=block

PHP

header("X-XSS-Protection: 1; mode=block");

Apache (.htaccess)

<IfModule mod_headers.c> 
  Header set X-XSS-Protection "1; mode=block" 
</IfModule>

Specifications

Not part of any specifications or drafts.

Browser compatibility

{{Compat("http/headers/x-xss-protection")}}

See also

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The HTTP <strong><code>X-XSS-Protection</code></strong> response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting ({{Glossary("XSS")}}) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong {{HTTPHeader("Content-Security-Policy")}} that disables the use of inline JavaScript (<code>'unsafe-inline'</code>), they can still provide protections for users of older web browsers that don't yet support {{Glossary("CSP")}}.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">Header type</th>
   <td>{{Glossary("Response header")}}</td>
  </tr>
  <tr>
   <th scope="row">{{Glossary("Forbidden header name")}}</th>
   <td>no</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<pre class="syntaxbox">
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=&lt;reporting-uri&gt;
</pre>

<dl>
 <dt>0</dt>
 <dd>Disables XSS filtering.</dd>
 <dt>1</dt>
 <dd>Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).</dd>
 <dt>1;mode=block</dt>
 <dd>Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.</dd>
 <dt>1; report=&lt;reporting-URI&gt;&nbsp; (Chromium only)</dt>
 <dd>Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the&nbsp;functionality of the CSP {{CSP("report-uri")}} directive to send a report.</dd>
</dl>

<h2 id="Examples">Example</h2>

<p>Block pages from loading when they detect reflected XSS attacks:</p>

<pre class="brush: bash">
X-XSS-Protection: 1;mode=block</pre>

<p>PHP</p>

<pre class="brush: php">
header("X-XSS-Protection: 1; mode=block");</pre>

<p>Apache (.htaccess)</p>

<pre class="brush: bash">
&lt;IfModule mod_headers.c&gt; 
  Header set X-XSS-Protection "1; mode=block" 
&lt;/IfModule&gt;</pre>

<h2 id="Specifications">Specifications</h2>

<p>Not part of any specifications or drafts.</p>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat("http/headers/x-xss-protection")}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Content-Security-Policy")}}</li>
 <li><a href="https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/">Controlling the XSS Filter – Microsoft</a></li>
 <li><a href="https://www.virtuesecurity.com/blog/understanding-xss-auditor/">Understanding XSS Auditor – Virtue Security</a></li>
 <li>
  <p><a href="http://blog.innerht.ml/the-misunderstood-x-xss-protection/">The misunderstood X-XSS-Protection – blog.innerht.ml</a></p>
 </li>
</ul>
Revert to this revision