X-XSS-Protection

The HTTP X-XSS-Protection response header is an unofficial HTTP header originally designed to activate the cross-site scripting (XSS) filter built into older browsers.

Table of Contents

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Legacy

Modern browsers have removed the XSS auditor. Chrome removed the feature, and Firefox never implemented one. The XSS auditor itself introduced security vulnerabilities in certain configurations. The recommended approach is to deploy a strong Content-Security-Policy instead. Servers still sending this header do so as a defense-in-depth measure for legacy clients.

Usage

The X-XSS-Protection header controlled a browser-level heuristic filter designed to detect reflected cross-site scripting attacks. When enabled, the browser scanned incoming HTML for patterns matching URL parameters, and blocked or sanitized the suspicious content.

The XSS auditor approach proved unreliable. Attackers found ways to bypass the filter, and in some cases the filter itself created new vulnerabilities by selectively removing page content, changing application behavior in exploitable ways. Browser vendors retired the feature in favor of the more robust protections offered by Content-Security-Policy.

Values

0

The value 0 disables the XSS filter. This is now the recommended value when the header is sent, because a partially functioning filter introduces more risk than no filter at all.

1

The value 1 enables the XSS filter. When a reflected XSS attack is detected, the browser sanitizes the page by removing the suspected malicious content.

1; mode=block

The 1; mode=block value enables the filter and instructs the browser to block rendering of the entire page rather than attempting to sanitize the content. This avoids the selective-removal vulnerabilities present in the default sanitization mode.

1; report=<url>

The 1; report=<url> value enables the filter and directs the browser to sanitize the page while sending a violation report to the specified URL. This reporting mechanism was a Chromium-specific extension.

Example

Disabling the XSS filter explicitly, the recommended configuration for sites relying on Content-Security-Policy:

X-XSS-Protection: 0

Enabling the filter in block mode, a legacy configuration for environments where CSP deployment is not available:

X-XSS-Protection: 1; mode=block

A defense-in-depth configuration pairing the disabled auditor with a CSP policy restricting script sources:

X-XSS-Protection: 0
Content-Security-Policy: script-src 'self'

Takeaway

The X-XSS-Protection header activated a now-retired browser XSS filter. Modern security relies on Content-Security-Policy for script execution controls, and the recommended value for this header is 0 to prevent the legacy auditor from introducing vulnerabilities.

See also

Last updated: March 9, 2026