The HTTP X-XSS-Protection
response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy
that disables the use of inline JavaScript ('unsafe-inline'
), they can still provide protections for users of older web browsers that don't yet support CSP.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=<reporting-uri>
- 0
- Disables XSS filtering.
- 1
- Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
- 1;mode=block
- Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
- 1; report=<reporting-URI> (Chromium only)
- Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP
report-uri
directive to send a report.
Example
Block pages from loading when they detect reflected XSS attacks:
X-XSS-Protection: 1;mode=block
PHP
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
Specifications
Not part of any specifications or drafts.
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | Servo |
---|---|---|---|---|---|---|---|
X-XSS-Protection | (Yes) | (Yes) | No support | 8.0 | (Yes) | (Yes) | No support |
Feature | Android | Chrome for Android | Edge Mobile | Firefox for Android | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|---|---|
X-XSS-Protection | (Yes) | (Yes) | (Yes) | No support | ? | (Yes) | (Yes) |