The X-XSS-Protection header is a security header that helps protect websites from Cross-Site Scripting (XSS) attacks. XSS is a type of vulnerability where attackers inject malicious scripts into web pages viewed by other users. These scripts can steal sensitive information, manipulate the appearance of the page, or perform other malicious actions.
The X-XSS-Protection header specifically addresses reflected and stored XSS attacks by enabling a built-in protection mechanism in modern web browsers.
Purpose of X-XSS-Protection
The primary purpose of the X-XSS-Protection header is to instruct web browsers to activate their XSS filtering mechanisms. When a browser detects a potential XSS attack, it can take various actions to mitigate the risk.
How X-XSS-Protection Works
The X-XSS-Protection header has three directives:
| 0 | Disables the XSS protection mechanism in the browser. |
| 1 | Enables the XSS protection mechanism and instructs the browser to sanitize the page by removing the malicious script. |
1; mode=block | Enables the XSS protection mechanism and instructs the browser to block the entire page if an XSS attack is detected. |
When a web server includes the X-XSS-Protection header in its HTTP response, the browser follows the specified directive to determine how to handle potential XSS attacks:
| 0 | This is not recommended for security reasons but may be used for testing or in specific scenarios where XSS protection needs to be turned off. |
| 1 | This is the default behavior. |
1; mode=block | This can be a more proactive measure, preventing the page from loading to protect the user. |
Here is an example of how it it used:
X-XSS-Protection: 1; mode=block
Configure X-XSS-Protection via Web Servers
More detailed instructions on how to configure security headers available here. Below assumes you know where to configure the headers relative to web server type:
Apache
<IfModule mod_headers.c>
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
NGINX
add_header X-XSS-Protection "1; mode=block";