The HTTP X-XSS-Protection header is an older cross-site scripting attack prevention feature that exists in Chrome, Internet Explorer, and Safari browsers. It has become largely unnecessary in modern browser implementations that support a strong HTTP Content-Security-Policy header.

Table of Contents


The HTTP X-XSS-Protection header is used for detecting and preventing certain types of cross-site scripting attacks. However, with the introduction of HTTP Content-Security-Policy header, better protections exist and in fact, the HTTP X-XSS-Protection header can in some cases introduce vulnerabilities.

The directives are as follows:

Disables filtering

X-XSS-Protection: 0

Enables filtering and clean the page if a cross-site scripting attack is detected.

X-XSS-Protection: 1

Enables filtering and block the page, rather than attempt to clear the malware.

X-XSS-Protection: 1; mode=block

Enables filtering and report the page to the specific URL if a cross-site scripting attack is detected.

X-XSS-Protection: 1; report=<URI>


The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and need to be transitioned to formal naming convention for HTTP headers.


The HTTP X-XSS-Protection header was implemented by certain browsers to prevent cross-site scripting attacks, but it is not required in modern browsers and shall not be implemented unless legacy support is required.

See also

Last updated: June 20, 2022