The HTTP X-XSS-Protection header is an older cross-site scripting attack prevention feature that exists in Chrome, Internet Explorer, and Safari browsers. It has become largely unnecessary in modern browser implementations that support a strong HTTP Content-Security-Policy header.
The HTTP X-XSS-Protection header is used for detecting and preventing certain types of cross-site scripting attacks. However, with the introduction of HTTP Content-Security-Policy header, better protections exist and in fact, the HTTP X-XSS-Protection header can in some cases introduce vulnerabilities.
The directives are as follows:
Enables filtering and clean the page if a cross-site scripting attack is detected.
Enables filtering and block the page, rather than attempt to clear the malware.
X-XSS-Protection: 1; mode=block
Enables filtering and report the page to the specific URL if a cross-site scripting attack is detected.
X-XSS-Protection: 1; report=<URI>
The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and need to be transitioned to formal naming convention for HTTP headers.
The HTTP X-XSS-Protection header was implemented by certain browsers to prevent cross-site scripting attacks, but it is not required in modern browsers and shall not be implemented unless legacy support is required.